Page MenuHomePhabricator

Fix a CSRF issue with adding new email addresses
ClosedPublic

Authored by epriestley on Jun 30 2016, 3:25 PM.
Tags
None
Referenced Files
F15410329: D16200.id38964.diff
Wed, Mar 19, 7:05 AM
F15386265: D16200.id38964.diff
Sat, Mar 15, 12:15 AM
F15352683: D16200.id38964.diff
Mon, Mar 10, 5:45 PM
Unknown Object (File)
Feb 24 2025, 2:01 PM
Unknown Object (File)
Feb 23 2025, 8:13 AM
Unknown Object (File)
Feb 21 2025, 4:02 AM
Unknown Object (File)
Feb 12 2025, 4:13 AM
Unknown Object (File)
Feb 12 2025, 4:13 AM
Subscribers
None

Details

Summary

The first dialog was being given the wrong user ($user, should be $viewer), leading to a CSRF issue.

(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)

Use newDialog() instead.

(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)

Test Plan
  • Added a new email address.
  • Clicked "Done" on the last step.
  • Completed workflow instead of getting a CSRF error.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Fix a CSRF issue with adding new email addresses.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
tide added a reviewer: tide.
This revision is now accepted and ready to land.Jun 30 2016, 3:31 PM
This revision was automatically updated to reflect the committed changes.