epriestley 39b4d20ce5 Create AphrontWriteGuard, a backup mechanism for CSRF validation ... Summary: Provide a catchall mechanism to find unprotected writes. - Depends on D758. - Similar to WriteOnHTTPGet stuff from Facebook's stack. - Since we have a small number of storage mechanisms and highly structured read/write pathways, we can explicitly answer the question "is this page performing a write?". - Never allow writes without CSRF checks. - This will probably break some things. That's fine: they're CSRF vulnerabilities or weird edge cases that we can fix. But don't push to Facebook for a few days unless you're prepared to deal with this. - **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF! <<<** Test Plan: - Ran some scripts that perform writes (scripts/search indexers), no issues. - Performed normal CSRF submits. - Added writes to an un-CSRF'd page, got an exception. - Executed conduit methods. - Did login/logout (this works because the logged-out user validates the logged-out csrf "token"). - Did OAuth login. - Did OAuth registration. Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran, codeblock Commenters: pedram CC: aran, epriestley, pedram Differential Revision: 777		2011-08-16 13:29:57 -07:00
..
auxiliaryfield	Tweak Maniphest custom fields	2011-08-15 08:39:18 -07:00
constants	Slightly improve Maniphest documentation.	2011-07-04 13:04:22 -07:00
controller	Tweak Maniphest custom fields	2011-08-15 08:39:18 -07:00
editor/transaction	Make maniphest add CCs when users are @mentioned	2011-07-09 16:54:59 -07:00
extensions	Tweak Maniphest custom fields	2011-08-15 08:39:18 -07:00
query	Move Project list to use ManiphestTaskQuery	2011-07-07 15:27:19 -07:00
replyhandler	Allow configuration of a task-creation email address	2011-07-05 17:17:27 -07:00
storage	Key Value Store for ManiphestTask	2011-07-25 19:11:55 -07:00
view	Create AphrontWriteGuard, a backup mechanism for CSRF validation	2011-08-16 13:29:57 -07:00