1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-22 13:30:55 +01:00
phorge-phorge/webroot/rsrc/js/application
epriestley 3aa17c7443 Prevent CSRF uploads via /file/dropupload/
Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.

In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.

Test Plan:
  - Drop-uploaded files to Files, Maniphest, Phriction and Differential.
  - Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form
submissions don't work.

Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758
2011-08-16 13:19:10 -07:00
..
core Prevent CSRF uploads via /file/dropupload/ 2011-08-16 13:19:10 -07:00
countdown Remove usage of JX.defer in favor of setTimeout 2011-08-10 18:09:59 -07:00
differential Allow "J" and "K" to jump between files in Differential 2011-08-02 11:11:15 -07:00
diffusion Remove usage of JX.defer in favor of setTimeout 2011-08-10 18:09:59 -07:00
herald Remove usage of JX.defer in favor of setTimeout 2011-08-10 18:09:59 -07:00
maniphest Allow projects to be quickly added from the Maniphest task creation interface 2011-06-13 10:17:08 -07:00
owners Bring Javelin into Phabricator via git submodule, not copy-and-paste 2011-05-08 13:20:10 -07:00
phriction Add a document preview to Phriction 2011-07-16 18:48:27 -07:00
projects Allow administrative editing of project resources 2011-07-21 16:46:28 -07:00