Fix a CSRF issue with adding new email addresses
ClosedPublic
Actions

Authored by epriestley on Jun 30 2016, 3:25 PM.

Details

Reviewers

tide
chad

Commits

rP4f8d07594e2a: Fix a CSRF issue with adding new email addresses

Summary

The first dialog was being given the wrong user ($user, should be $viewer), leading to a CSRF issue.

(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)

Use newDialog() instead.

(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)

Test Plan

Added a new email address.
Clicked "Done" on the last step.
Completed workflow instead of getting a CSRF error.

Diff Detail

Repository

rP Phabricator

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 38964.Jun 30 2016, 3:25 PM

epriestley retitled this revision from to Fix a CSRF issue with adding new email addresses.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: chad.

tide accepted this revision.Jun 30 2016, 3:31 PM

tide added a reviewer: tide.

This revision is now accepted and ready to land.Jun 30 2016, 3:31 PM

Haha

oh you

Closed by commit rP4f8d07594e2a: Fix a CSRF issue with adding new email addresses (authored by epriestley, committed by epriestley). · Explain WhyJun 30 2016, 3:35 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

settings/

panel/

PhabricatorEmailAddressesSettingsPanel.php

6 lines

Diff 38965

View Options

src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php

Fix a CSRF issue with adding new email addressesClosedPublicActions