Page MenuHomePhabricator
Differential D10291

Be more strict about "Location:" redirects
ClosedPublic
Actions

Authored by epriestley on Aug 18 2014, 8:14 PM.
Tags
None
Referenced Files
F13397188: D10291.diff
Thu, Jul 4, 5:26 AM
F13391932: D10291.diff
Tue, Jul 2, 12:35 PM
F13374329: D10291.diff
Sat, Jun 29, 12:28 AM
F13365200: D10291.id24783.diff
Wed, Jun 26, 1:32 PM
F13358854: D10291.diff
Tue, Jun 25, 8:33 AM
F13280722: D10291.diff
Jun 2 2024, 9:10 AM
F13267314: D10291.diff
May 29 2024, 3:08 AM
F13266350: D10291.diff
May 28 2024, 1:06 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Commits
Restricted Diffusion Commit
rPdf361470c1d9: Be more strict about "Location:" redirects
Summary

Via HackerOne. Chrome (at least) interprets backslashes like forward slashes, so a redirect to "/\evil.com" is the same as a redirect to "//evil.com".

  • Reject local URIs with backslashes (we never generate these).
  • Fully-qualify all "Location:" redirects.
  • Require external redirects to be marked explicitly.
Test Plan
  • Expanded existing test coverage.
  • Verified that neither Diffusion nor Phriction can generate URIs with backslashes (they are escaped in Diffusion, and removed by slugging in Phriction).
  • Logged in with Facebook (OAuth2 submits a form to the external site, and isn't affected) and Twitter (OAuth1 redirects, and is affected).
  • Went through some local redirects (login, save-an-object).
  • Verified file still work.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 24779.Aug 18 2014, 8:14 PM
epriestley retitled this revision from to Be more strict about "Location:" redirects.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
Herald added a subscriber: epriestley. · View Herald TranscriptAug 18 2014, 8:14 PM
Harbormaster completed remote builds in B2267: Diff 24779.Aug 18 2014, 8:15 PM
epriestley added a comment.Aug 18 2014, 8:28 PM

It's possible that I missed an AphrontRedirectResponse somewhere which takes an external URI -- we have a lot of them, and I tried to review them all but there are seriously like a billion.

If I did, users will hit an exception about remote vs local redirects. The fix is to add ->setIsExternal(true) to the AphontRedirectResponse to mark it as external.

(The OAuth server uses a <form /> that users explicitly click nowadays, which is why doesn't get marked in this diff.)

btrahan accepted this revision.Aug 18 2014, 8:31 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 18 2014, 8:31 PM
epriestley closed this revision.Aug 18 2014, 9:11 PM
epriestley updated this revision to Diff 24783.

Closed by commit rPdf361470c1d9 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
2 lines
aphront/
response/
82 lines
__tests__/
63 lines
applications/
auth/
provider/
4 lines
files/
controller/
6 lines
phortune/
provider/
4 lines
8 lines
infrastructure/
env/
15 lines
__tests__/
1 line
testing/
4 lines

Diff 24783

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/aphront/response/AphrontRedirectResponse.php

Loading...
View Options

src/aphront/response/__tests__/AphrontRedirectResponseTestCase.php

Loading...
View Options

src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php

Loading...
View Options

src/applications/files/controller/PhabricatorFileDataController.php

Loading...
View Options

src/applications/phortune/provider/PhortunePaypalPaymentProvider.php

Loading...
View Options

src/applications/phortune/provider/PhortuneWePayPaymentProvider.php

Loading...
View Options

src/infrastructure/env/PhabricatorEnv.php

Loading...
View Options

src/infrastructure/env/__tests__/PhabricatorEnvTestCase.php

Loading...
View Options

src/infrastructure/testing/PhabricatorTestCase.php

Loading...
Phabricator · Built by Phacility