phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-09-22 18:28:47 +02:00

History

epriestley 41b9752ba8 Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only Summary: Two behavioral changes: - If the redirect URI for an application is "https", require HTTPS always. - According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names //and values// for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo... iiam Test Plan: This has good coverage already; added some tests for the new cases. Reviewers: vrana Reviewed By: vrana CC: cbg, aran, btrahan Differential Revision: https://secure.phabricator.com/D5022	2013-02-19 16:09:36 -08:00
..
PhabricatorOAuthServerTestCase.php	Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only	2013-02-19 16:09:36 -08:00

epriestley 41b9752ba8 Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only

Summary:
Two behavioral changes:

  - If the redirect URI for an application is "https", require HTTPS always.
  - According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names //and values// for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...

iiam

Test Plan: This has good coverage already; added some tests for the new cases.

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran, btrahan

Differential Revision: https://secure.phabricator.com/D5022

2013-02-19 16:09:36 -08:00

PhabricatorOAuthServerTestCase.php

Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only

2013-02-19 16:09:36 -08:00