Page MenuHomePhabricator

Require a CSRF code for Twitter and JIRA (OAuth 1) logins
ClosedPublic

Authored by epriestley on Feb 23 2014, 11:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 20, 5:57 AM
Unknown Object (File)
Thu, Dec 12, 10:02 AM
Unknown Object (File)
Mon, Dec 9, 8:52 PM
Unknown Object (File)
Sun, Dec 8, 12:35 PM
Unknown Object (File)
Thu, Dec 5, 8:46 PM
Unknown Object (File)
Wed, Dec 4, 1:52 PM
Unknown Object (File)
Sat, Nov 30, 2:19 PM
Unknown Object (File)
Tue, Nov 26, 3:02 PM
Subscribers

Details

Summary

OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan
  • Logged in with JIRA.
  • Logged in with Twitter.
  • Logged in with Facebook (an OAuth2 provider).
  • Linked a Twitter account.
  • Linked a Facebook account.
  • Jiggered codes in URIs and verified that I got the exceptions I expected.

Diff Detail

Repository
rP Phabricator
Branch
twitter1
Lint
Lint Passed
Unit
No Test Coverage

Event Timeline

epriestley updated this revision to Unknown Object (????).Feb 23 2014, 11:20 PM
  • Restore the check for an empty 'code' parameter for OAuth2.