Page MenuHomePhabricator
Differential D12151

Improve protection against SSRF attacks
ClosedPublic
Actions

Authored by epriestley on Mar 25 2015, 12:49 AM.
Tags
None
Referenced Files
F15332052: D12151.diff
Fri, Mar 7, 4:25 PM
F15331885: D12151.diff
Fri, Mar 7, 2:56 PM
F15286022: D12151.id29213.diff
Tue, Mar 4, 5:34 PM
F15285910: D12151.id29209.diff
Tue, Mar 4, 4:50 PM
F15285699: D12151.id.diff
Tue, Mar 4, 3:33 PM
Unknown Object (File)
Sat, Feb 22, 4:57 PM
Unknown Object (File)
Mon, Feb 10, 3:35 AM
Unknown Object (File)
Sat, Feb 8, 3:12 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T6755: Allow more granular configuration of `security.allow-outbound-http`
Commits
Restricted Diffusion Commit
rP4f8147dbb8c0: Improve protection against SSRF attacks
Summary

Ref T6755. This improves our resistance to SSRF attacks:

  • Follow redirects manually and verify each component of the redirect chain.
  • Handle authentication provider profile picture fetches more strictly.
Test Plan
  • Tried to download macros from various URIs which issued redirects, etc.
  • Downloaded an actual macro.
  • Went through external account workflow.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 29209.Mar 25 2015, 12:49 AM
epriestley retitled this revision from to Improve protection against SSRF attacks.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T6755: Allow more granular configuration of `security.allow-outbound-http`.
Herald added a subscriber: epriestley. · View Herald TranscriptMar 25 2015, 12:49 AM
epriestley mentioned this in T6755: Allow more granular configuration of `security.allow-outbound-http`.Mar 25 2015, 12:59 AM
btrahan accepted this revision.Mar 25 2015, 1:37 AM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Mar 25 2015, 1:37 AM
Closed by commit rP4f8147dbb8c0: Improve protection against SSRF attacks (authored by epriestley, committed by epriestley). · Explain WhyMar 25 2015, 1:49 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
provider/
14 lines
files/
storage/
97 lines

Diff 29213

View Options

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...
View Options

src/applications/files/storage/PhabricatorFile.php

Loading...
Phabricator · Built by Phacility