Page MenuHomePhabricator
Differential D12151

Improve protection against SSRF attacks
ClosedPublic
Actions

Authored by epriestley on Mar 25 2015, 12:49 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 17, 9:43 PM
Unknown Object (File)
Tue, Dec 17, 2:12 PM
Unknown Object (File)
Mon, Dec 9, 2:44 PM
Unknown Object (File)
Mon, Dec 9, 5:49 AM
Unknown Object (File)
Thu, Dec 5, 4:16 AM
Unknown Object (File)
Sun, Dec 1, 9:38 AM
Unknown Object (File)
Wed, Nov 27, 4:15 PM
Unknown Object (File)
Tue, Nov 26, 8:30 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T6755: Allow more granular configuration of `security.allow-outbound-http`
Commits
Restricted Diffusion Commit
rP4f8147dbb8c0: Improve protection against SSRF attacks
Summary

Ref T6755. This improves our resistance to SSRF attacks:

  • Follow redirects manually and verify each component of the redirect chain.
  • Handle authentication provider profile picture fetches more strictly.
Test Plan
  • Tried to download macros from various URIs which issued redirects, etc.
  • Downloaded an actual macro.
  • Went through external account workflow.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 29209.Mar 25 2015, 12:49 AM
epriestley retitled this revision from to Improve protection against SSRF attacks.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T6755: Allow more granular configuration of `security.allow-outbound-http`.
Herald added a subscriber: epriestley. · View Herald TranscriptMar 25 2015, 12:49 AM
epriestley mentioned this in T6755: Allow more granular configuration of `security.allow-outbound-http`.Mar 25 2015, 12:59 AM
btrahan accepted this revision.Mar 25 2015, 1:37 AM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Mar 25 2015, 1:37 AM
Closed by commit rP4f8147dbb8c0: Improve protection against SSRF attacks (authored by epriestley, committed by epriestley). · Explain WhyMar 25 2015, 1:49 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
provider/
14 lines
files/
storage/
97 lines

Diff 29213

View Options

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...
View Options

src/applications/files/storage/PhabricatorFile.php

Loading...
Phabricator · Built by Phacility