Page MenuHomePhabricator

Require a CSRF code for Twitter and JIRA (OAuth 1) logins
ClosedPublic

Authored by epriestley on Feb 23 2014, 11:19 PM.
Tags
None
Referenced Files
F15548204: D8318.id19772.diff
Sat, Apr 26, 10:27 PM
F15539505: D8318.id.diff
Fri, Apr 25, 1:58 AM
F15534812: D8318.id19783.diff
Thu, Apr 24, 2:18 AM
F15529675: D8318.id.diff
Tue, Apr 22, 9:39 PM
F15524959: D8318.diff
Mon, Apr 21, 11:27 AM
F15524948: D8318.diff
Mon, Apr 21, 11:24 AM
F15523835: D8318.id19772.diff
Mon, Apr 21, 3:57 AM
F15418532: D8318.id19783.diff
Mar 20 2025, 11:52 PM
Subscribers

Details

Summary

OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan
  • Logged in with JIRA.
  • Logged in with Twitter.
  • Logged in with Facebook (an OAuth2 provider).
  • Linked a Twitter account.
  • Linked a Facebook account.
  • Jiggered codes in URIs and verified that I got the exceptions I expected.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Unknown Object (????).Feb 23 2014, 11:20 PM
  • Restore the check for an empty 'code' parameter for OAuth2.