Require CSRF submission to verify email addresses
ClosedPublic
Actions

Authored by epriestley on Feb 26 2014, 3:55 PM.

Tags

None

Referenced Files

	F18791746: D8351.id19848.diff
	Thu, Oct 16, 5:40 PM

	F18757131: D8351.id19849.diff
	Sun, Oct 5, 3:41 PM

	F18619314: D8351.diff
	Sep 15 2025, 2:14 AM

	F18599096: D8351.id.diff
	Sep 13 2025, 6:38 AM

	F18595820: D8351.diff
	Sep 12 2025, 10:57 PM

	F18110156: D8351.id19849.diff
	Aug 11 2025, 4:49 PM

	F17959374: D8351.id.diff
	Aug 1 2025, 8:11 AM

	F17950871: D8351.diff
	Aug 1 2025, 12:46 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Commits

Restricted Diffusion Commit
rPbcf255e9c96b: Require CSRF submission to verify email addresses

Summary

If an attacker somehow intercepts a verification URL for an email address, they can hypothetically CSRF the account owner into verifying it. What you'd do before (how do you get the link?) and after (why do you care that you tricked them into verifying) performing this attack is unclear, but in theory we should require a CSRF submission here; add one.

Test Plan

{F118691}

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

btrahan accepted this revision.Feb 26 2014, 4:27 PM

Closed by commit rPbcf255e9c96b (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

controller/

PhabricatorEmailVerificationController.php

40 lines

Diff 19849

View Options

src/applications/auth/controller/PhabricatorEmailVerificationController.php

Require CSRF submission to verify email addressesClosedPublicActions