Page MenuHomePhabricator
Differential D12151

Improve protection against SSRF attacks
ClosedPublic
Actions

Authored by epriestley on Mar 25 2015, 12:49 AM.
Tags
None
Referenced Files
F19426709: D12151.id29209.diff
Sun, Dec 28, 5:29 AM
F18942029: D12151.id29209.diff
Nov 11 2025, 11:32 AM
F18853878: D12151.id.diff
Oct 31 2025, 8:14 PM
F18850525: D12151.diff
Oct 30 2025, 5:37 PM
F18843876: D12151.diff
Oct 29 2025, 1:35 AM
F18829342: D12151.diff
Oct 24 2025, 9:18 PM
F18812326: D12151.id29209.diff
Oct 20 2025, 8:37 AM
F18701115: D12151.diff
Sep 27 2025, 5:28 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T6755: Allow more granular configuration of `security.allow-outbound-http`
Commits
Restricted Diffusion Commit
rP4f8147dbb8c0: Improve protection against SSRF attacks
Summary

Ref T6755. This improves our resistance to SSRF attacks:

  • Follow redirects manually and verify each component of the redirect chain.
  • Handle authentication provider profile picture fetches more strictly.
Test Plan
  • Tried to download macros from various URIs which issued redirects, etc.
  • Downloaded an actual macro.
  • Went through external account workflow.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 29209.Mar 25 2015, 12:49 AM
epriestley retitled this revision from to Improve protection against SSRF attacks.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T6755: Allow more granular configuration of `security.allow-outbound-http`.
Herald added a subscriber: epriestley. · View Herald TranscriptMar 25 2015, 12:49 AM
epriestley mentioned this in T6755: Allow more granular configuration of `security.allow-outbound-http`.Mar 25 2015, 12:59 AM
btrahan accepted this revision.Mar 25 2015, 1:37 AM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Mar 25 2015, 1:37 AM
Closed by commit rP4f8147dbb8c0: Improve protection against SSRF attacks (authored by epriestley, committed by epriestley). · Explain WhyMar 25 2015, 1:49 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
provider/
14 lines
files/
storage/
97 lines

Diff 29213

View Options

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...
View Options

src/applications/files/storage/PhabricatorFile.php

Loading...
Phabricator · Built by Phacility