Page MenuHomePhabricator

Require a CSRF code for Twitter and JIRA (OAuth 1) logins
ClosedPublic

Authored by epriestley on Feb 23 2014, 11:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, May 9, 2:39 AM
Unknown Object (File)
Thu, May 8, 2:28 AM
Unknown Object (File)
Apr 26 2025, 10:27 PM
Unknown Object (File)
Apr 25 2025, 1:58 AM
Unknown Object (File)
Apr 24 2025, 2:18 AM
Unknown Object (File)
Apr 22 2025, 9:39 PM
Unknown Object (File)
Apr 21 2025, 11:27 AM
Unknown Object (File)
Apr 21 2025, 11:24 AM
Subscribers

Details

Summary

OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan
  • Logged in with JIRA.
  • Logged in with Twitter.
  • Logged in with Facebook (an OAuth2 provider).
  • Linked a Twitter account.
  • Linked a Facebook account.
  • Jiggered codes in URIs and verified that I got the exceptions I expected.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Unknown Object (????).Feb 23 2014, 11:20 PM
  • Restore the check for an empty 'code' parameter for OAuth2.