phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 17:32:41 +01:00

History

epriestley ecd4b03a4e Unbreak OAuth Registration Summary: @vrana patched an important external-CSRF-leaking hole recently (D1558), but since we are sloppy in building this form it got caught in the crossfire. We set action to something like "http://this.server.com/oauth/derp/", but that triggers CSRF protection by removing CSRF tokens from the form. This makes OAuth login not work. Instead, use the local path only so we generate a CSRF token. Test Plan: Registered locally via oauth. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran, epriestley, demo Maniphest Tasks: T853 Differential Revision: https://secure.phabricator.com/D1597	2012-02-08 13:42:48 -08:00
..
base	Preserve "next" URI by using OAuth 'state' parameter	2011-03-07 22:00:57 -08:00
default	Unbreak OAuth Registration	2012-02-08 13:42:48 -08:00

epriestley ecd4b03a4e Unbreak OAuth Registration

Summary:
@vrana patched an important external-CSRF-leaking hole recently (D1558), but
since we are sloppy in building this form it got caught in the crossfire.

We set action to something like "http://this.server.com/oauth/derp/", but that
triggers CSRF protection by removing CSRF tokens from the form. This makes OAuth
login not work.

Instead, use the local path only so we generate a CSRF token.

Test Plan: Registered locally via oauth.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran, epriestley, demo

Maniphest Tasks: T853

Differential Revision: https://secure.phabricator.com/D1597

2012-02-08 13:42:48 -08:00

base

Preserve "next" URI by using OAuth 'state' parameter

2011-03-07 22:00:57 -08:00

default

Unbreak OAuth Registration

2012-02-08 13:42:48 -08:00