Page MenuHomePhabricator

Require a CSRF code for Twitter and JIRA (OAuth 1) logins
ClosedPublic

Authored by epriestley on Feb 23 2014, 11:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jul 1, 9:43 AM
Unknown Object (File)
Apr 16 2026, 9:49 PM
Unknown Object (File)
Apr 15 2026, 3:35 AM
Unknown Object (File)
Apr 10 2026, 10:14 PM
Unknown Object (File)
Apr 10 2026, 9:11 PM
Unknown Object (File)
Mar 5 2026, 4:30 PM
Unknown Object (File)
Feb 12 2026, 4:35 PM
Unknown Object (File)
Feb 10 2026, 12:39 AM
Subscribers

Details

Summary

OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan
  • Logged in with JIRA.
  • Logged in with Twitter.
  • Logged in with Facebook (an OAuth2 provider).
  • Linked a Twitter account.
  • Linked a Facebook account.
  • Jiggered codes in URIs and verified that I got the exceptions I expected.

Diff Detail

Repository
rP Phabricator
Branch
twitter1
Lint
Lint Passed
Unit
No Test Coverage

Event Timeline

epriestley updated this revision to Unknown Object (????).Feb 23 2014, 11:20 PM
  • Restore the check for an empty 'code' parameter for OAuth2.