Page MenuHomePhabricator

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
ClosedPublic

Authored by epriestley on Thu, Nov 15, 1:31 PM.

Details

Summary

Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the hash of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where %P is a more appropriate conversion.

Test Plan

Note "*****" in the middle of the output here, instead of a session key hash:

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Thu, Nov 15, 1:31 PM
epriestley requested review of this revision.Thu, Nov 15, 1:33 PM
amckinley accepted this revision.Fri, Nov 16, 7:23 PM
This revision is now accepted and ready to land.Fri, Nov 16, 7:23 PM
This revision was automatically updated to reflect the committed changes.