1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications
epriestley bcf255e9c9 Require CSRF submission to verify email addresses
Summary: If an attacker somehow intercepts a verification URL for an email address, they can hypothetically CSRF the account owner into verifying it. What you'd do before (how do you get the link?) and after (why do you care that you tricked them into verifying) performing this attack is unclear, but in theory we should require a CSRF submission here; add one.

Test Plan: {F118691}

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8351
2014-02-26 11:17:46 -08:00
..
arcanist/conduit Move Conduit methods inside applications 2012-12-21 12:21:59 -08:00
audit Perform search indexing in the worker queue and respect bin/search index --background 2014-01-14 13:22:56 -08:00
auth Require CSRF submission to verify email addresses 2014-02-26 11:17:46 -08:00
base Remove quick create buttons from application launcher 2014-01-29 17:23:50 -08:00
cache Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk 2014-02-23 16:35:51 -08:00
calendar Fix calendar display on profile. 2014-02-25 13:43:31 -08:00
chatlog Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
conduit Truncate Conduit 'clientDescription' so we don't overflow the column 2014-02-25 12:35:03 -08:00
config Recommend STRICT_ALL_TABLES for every install, not just development installs 2014-02-23 10:59:59 -08:00
conpherence Fix calendar display on profile. 2014-02-25 13:43:31 -08:00
countdown [Countdown] fix undefined variable errors 2014-02-05 05:33:31 -08:00
daemon Do not perform write in PhabricatorDaemonLogQuery by default 2014-01-21 14:04:12 -08:00
dashboard Add edit/view plumbing for dashboards and panels 2014-02-03 10:52:15 -08:00
differential Render inline comments in "Pro" mail 2014-02-25 15:29:10 -08:00
diffusion Add ObjectBox around Diffusion Binary Files 2014-02-22 14:08:04 -08:00
diviner Miniturize the nav buttons 2014-01-31 09:10:32 -08:00
doorkeeper Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
draft/storage Differential - add DifferentialDraft to track whether revisions have draft feedback or not 2014-02-18 16:25:16 -08:00
drydock Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
fact Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
feed Add a "Send Test Notification" button to make testing the server easier 2014-02-17 16:00:33 -08:00
files Convert Phabricator to handle "%s" / "%B" properly 2014-02-23 16:20:46 -08:00
flag Work around a bug in PHP 5.3-ish with abstract methods in interfaces 2013-10-25 15:58:17 -07:00
harbormaster Add test coverage that our definition of BMP agrees with MySQL 2014-02-23 16:20:38 -08:00
help/controller Make Differential views capability-sensitive 2013-09-26 18:45:04 -07:00
herald Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk 2014-02-23 16:35:51 -08:00
home Hide upload JS stuff if user isn't logged in 2014-02-21 13:04:23 -08:00
legalpad Update overall revision status after reviewers change 2014-02-25 12:36:49 -08:00
lipsum Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
macro Make Projects a PhabricatorSubscribableInterface, but with restricted defaults 2014-02-10 14:29:17 -08:00
mailinglists Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
maniphest Fix a type issue with FormView juggling 2014-02-24 12:20:49 -08:00
meta Remove quick create buttons from application launcher 2014-01-29 17:23:50 -08:00
metamta Allow unsubscription from projects 2014-02-11 07:45:56 -08:00
notification Add a "Send Test Notification" button to make testing the server easier 2014-02-17 16:00:33 -08:00
nuance Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
oauthserver Initialize used variable 2013-07-09 21:55:27 -07:00
owners Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
passphrase Passphrase - added "looked at secret" transaction. 2014-02-25 14:58:30 -08:00
paste Update overall revision status after reviewers change 2014-02-25 12:36:49 -08:00
people Fix calendar part 2 2014-02-25 14:20:59 -08:00
phame Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
phid Provide result type information in tokenizers 2014-02-14 10:23:56 -08:00
phlux Allow CustomField to provide ApplicationTransaction change details 2014-02-21 11:53:04 -08:00
pholio Update overall revision status after reviewers change 2014-02-25 12:36:49 -08:00
phortune Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
phpast Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
phragment Fix for Phragment ZIP controller 2014-02-15 11:48:07 +11:00
phrequent Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
phriction Make Projects a PhabricatorSubscribableInterface, but with restricted defaults 2014-02-10 14:29:17 -08:00
policy Make the "you can't edit away your edit capability" policy check generic 2014-02-10 14:31:16 -08:00
ponder Allow CustomField to provide ApplicationTransaction change details 2014-02-21 11:53:04 -08:00
project Move many task status hardcodes into ManiphestTaskStatus 2014-02-17 15:59:31 -08:00
releeph Implement "Repository" as a new-style CustomField in Differential 2014-02-21 11:53:37 -08:00
remarkup/conduit Support processing Remarkup in bulk with remarkup.processbulk Conduit method 2013-11-02 16:30:11 -07:00
repository Remove "dateCommitted" field from DifferentialRevision 2014-02-25 12:36:14 -08:00
search Herald - add application search for transcripts 2014-02-21 12:51:25 -08:00
settings Disallow email addresses which will overflow MySQL storage 2014-02-23 10:19:35 -08:00
slowvote Allow CustomField to provide ApplicationTransaction change details 2014-02-21 11:53:04 -08:00
subscriptions Make Projects a PhabricatorSubscribableInterface, but with restricted defaults 2014-02-10 14:29:17 -08:00
system Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
tokens Wrap the feed text rendering stuff with htmlspecialchars_decode 2014-02-03 17:05:30 -08:00
transactions Render inline comments in "Pro" mail 2014-02-25 15:29:10 -08:00
typeahead Make projects appear in all mailable tokenizers 2014-02-18 16:32:41 -08:00
uiexample PHUITimelineView 2014-02-12 09:02:05 -08:00
xhprof Use JSON, not PHP serialization, for XHProf profiles. 2014-02-24 04:16:52 -08:00