1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 23:32:40 +01:00
phorge-phorge/src
vrana 6bd8542abb Avoid sending CSRF token in GET and external forms
Summary:
Sending CSRF token in GET forms is dangerous because if there are external links
on the target page then the token could leak through Referer header.
The token is not required for anything because GET forms are used only to
display data, not to perform operations.
Sending CSRF tokens to external URLs leaks the token immediately.

Please note that <form action> defaults to GET.

PhabricatorUserOAuthSettingsPanelController suffered from this problem for both
reasons.

Test Plan: Save my settings (POST form).

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1558
2012-02-03 10:58:51 -08:00
..
aphront Add basic edit history to herald rules 2012-01-30 11:52:44 -08:00
applications Use GET form in Owners search 2012-02-03 09:32:31 -08:00
docs Document final/private policy 2012-01-31 12:08:15 -08:00
infrastructure Avoid sending CSRF token in GET and external forms 2012-02-03 10:58:51 -08:00
storage Restore Lisk transactional methods 2012-01-31 12:07:34 -08:00
view Avoid sending CSRF token in GET and external forms 2012-02-03 10:58:51 -08:00
__celerity_resource_map__.php Improve Herald personal/global UI/UX 2012-01-31 12:09:29 -08:00
__phutil_library_init__.php Distinguish between aphront and phabricator. 2011-01-22 17:45:28 -08:00
__phutil_library_map__.php Github is actually GitHub 2012-02-02 17:47:04 -08:00