Page MenuHomePhabricator

Improve protection against SSRF attacks

Authored by epriestley on Mar 25 2015, 12:49 AM.



Ref T6755. This improves our resistance to SSRF attacks:

  • Follow redirects manually and verify each component of the redirect chain.
  • Handle authentication provider profile picture fetches more strictly.
Test Plan
  • Tried to download macros from various URIs which issued redirects, etc.
  • Downloaded an actual macro.
  • Went through external account workflow.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley retitled this revision from to Improve protection against SSRF attacks.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
btrahan edited edge metadata.
This revision is now accepted and ready to land.Mar 25 2015, 1:37 AM
This revision was automatically updated to reflect the committed changes.