mirror of
https://we.phorge.it/source/phorge.git
synced 2024-09-22 10:18:48 +02:00
7cf0358dda
Summary: Via HackerOne. An attacker can bypass `auth.email-domains` by registering with an email like: aaaaa...aaaaa@evil.com@company.com We'll validate the full string, then insert it into the database where it will be truncated, removing the `@company.com` part. Then we'll send an email to `@evil.com`. Instead, reject email addresses which won't fit in the table. `STRICT_ALL_TABLES` stops this attack, I'm going to add a setup warning encouraging it. Test Plan: - Set `auth.email-domains` to `@company.com`. - Registered with `aaa...aaa@evil.com@company.com`. Previously this worked, now it is rejected. - Did a valid registration. - Tried to add `aaa...aaaa@evil.com@company.com` as an email address. Previously this worked, now it is rejected. - Did a valid email add. - Added and executed unit tests. Reviewers: btrahan, arice Reviewed By: arice CC: aran, chad Differential Revision: https://secure.phabricator.com/D8308 |
||
|---|---|---|
| .. | ||
| config | ||
| PhabricatorAuthConfirmLinkController.php | ||
| PhabricatorAuthController.php | ||
| PhabricatorAuthLinkController.php | ||
| PhabricatorAuthLoginController.php | ||
| PhabricatorAuthNeedsApprovalController.php | ||
| PhabricatorAuthOldOAuthRedirectController.php | ||
| PhabricatorAuthRegisterController.php | ||
| PhabricatorAuthStartController.php | ||
| PhabricatorAuthUnlinkController.php | ||
| PhabricatorAuthValidateController.php | ||
| PhabricatorDisabledUserController.php | ||
| PhabricatorEmailLoginController.php | ||
| PhabricatorEmailTokenController.php | ||
| PhabricatorEmailVerificationController.php | ||
| PhabricatorLogoutController.php | ||
| PhabricatorMustVerifyEmailController.php | ||
| PhabricatorRefreshCSRFController.php | ||