epriestley df361470c1 Be more strict about "Location:" redirects ... Summary: Via HackerOne. Chrome (at least) interprets backslashes like forward slashes, so a redirect to "/\evil.com" is the same as a redirect to "//evil.com". - Reject local URIs with backslashes (we never generate these). - Fully-qualify all "Location:" redirects. - Require external redirects to be marked explicitly. Test Plan: - Expanded existing test coverage. - Verified that neither Diffusion nor Phriction can generate URIs with backslashes (they are escaped in Diffusion, and removed by slugging in Phriction). - Logged in with Facebook (OAuth2 submits a form to the external site, and isn't affected) and Twitter (OAuth1 redirects, and is affected). - Went through some local redirects (login, save-an-object). - Verified file still work. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D10291		2014-08-18 14:11:06 -07:00
..
application	Provide a purchase detail view in Phortune	2014-08-18 13:15:21 -07:00
constants	General cleanup for adding payment methods in Phortune	2013-04-25 09:49:32 -07:00
control	Convert AphrontFormControl to safe HTML	2013-02-05 15:52:46 -08:00
controller	Provide a purchase detail view in Phortune	2014-08-18 13:15:21 -07:00
currency	Phortune Charges	2014-07-23 10:36:12 -07:00
editor	Modularize mail tags	2014-08-12 12:28:41 -07:00
exception	Implement Balanced Payments as a PhortunePaymentProvider	2013-04-25 09:48:04 -07:00
option	Change double quotes to single quotes.	2014-06-09 11:36:50 -07:00
provider	Be more strict about "Location:" redirects	2014-08-18 14:11:06 -07:00
query	Provide a purchase detail view in Phortune	2014-08-18 13:15:21 -07:00
storage	Provide a purchase detail view in Phortune	2014-08-18 13:15:21 -07:00
view	General cleanup for adding payment methods in Phortune	2013-04-25 09:49:32 -07:00