Page MenuHomePhabricator

Fix a CSRF issue with adding new email addresses
ClosedPublic

Authored by epriestley on Jun 30 2016, 3:25 PM.
Tags
None
Referenced Files
F15533593: D16200.id38965.diff
Wed, Apr 23, 8:41 PM
F15528329: D16200.id38965.diff
Tue, Apr 22, 10:27 AM
F15526572: D16200.id38964.diff
Mon, Apr 21, 9:33 PM
F15523878: D16200.id.diff
Mon, Apr 21, 4:19 AM
F15523528: D16200.id38965.diff
Mon, Apr 21, 1:57 AM
F15520961: D16200.diff
Sun, Apr 20, 9:44 AM
F15514837: D16200.diff
Fri, Apr 18, 5:45 AM
F15410329: D16200.id38964.diff
Mar 19 2025, 7:05 AM
Subscribers
None

Details

Summary

The first dialog was being given the wrong user ($user, should be $viewer), leading to a CSRF issue.

(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)

Use newDialog() instead.

(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)

Test Plan
  • Added a new email address.
  • Clicked "Done" on the last step.
  • Completed workflow instead of getting a CSRF error.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Fix a CSRF issue with adding new email addresses.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
tide added a reviewer: tide.
This revision is now accepted and ready to land.Jun 30 2016, 3:31 PM
This revision was automatically updated to reflect the committed changes.