Page MenuHomePhabricator
Differential D19812

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
ClosedPublic
Actions

Authored by epriestley on Nov 15 2018, 1:31 PM.
Tags
None
Referenced Files
F13048574: D19812.diff
Thu, Apr 18, 9:10 PM
Unknown Object (File)
Thu, Apr 18, 8:47 AM
Unknown Object (File)
Thu, Apr 18, 4:51 AM
Unknown Object (File)
Tue, Apr 16, 6:51 PM
Unknown Object (File)
Sat, Apr 13, 12:21 PM
Unknown Object (File)
Sat, Apr 13, 12:21 PM
Unknown Object (File)
Fri, Apr 12, 9:10 PM
Unknown Object (File)
Thu, Apr 11, 9:10 AM
View All Files
Subscribers
None

Details

Reviewers
amckinley
Maniphest Tasks
T6960: Support %P in qsprintf()
T13216: 2018 Week 45-47 Bonus Content
T13217: Upgrading: Hardening of qsprintf()
Commits
rP49483bdb4823: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
Summary

Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the hash of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where %P is a more appropriate conversion.

Test Plan

Note "*****" in the middle of the output here, instead of a session key hash:

Screen Shot 2018-11-15 at 5.28.57 AM.png (333×1 px, 102 KB)

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
engine/
4 lines

Diff 47328

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
Phabricator · Built by Phacility