1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-30 18:52:42 +01:00
phorge-phorge/src/applications/oauthserver
epriestley 41b9752ba8 Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only
Summary:
Two behavioral changes:

  - If the redirect URI for an application is "https", require HTTPS always.
  - According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names //and values// for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...

iiam

Test Plan: This has good coverage already; added some tests for the new cases.

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran, btrahan

Differential Revision: https://secure.phabricator.com/D5022
2013-02-19 16:09:36 -08:00
..
__tests__ Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only 2013-02-19 16:09:36 -08:00
controller Apply lint rules to Phabricator 2013-02-19 13:33:10 -08:00
query Delete license headers from files 2012-11-05 11:16:51 -08:00
storage Delete license headers from files 2012-11-05 11:16:51 -08:00
PhabricatorOAuthResponse.php Delete license headers from files 2012-11-05 11:16:51 -08:00
PhabricatorOAuthServer.php Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only 2013-02-19 16:09:36 -08:00
PhabricatorOAuthServerScope.php Apply lint rules to Phabricator 2013-02-19 13:33:10 -08:00