Page MenuHomePhabricator

Whitelist allowed editor protocols
ClosedPublic

Authored by epriestley on Mar 17 2014, 6:55 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 15, 2:40 AM
Unknown Object (File)
Thu, Dec 5, 10:16 PM
Unknown Object (File)
Mon, Dec 2, 12:03 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:05 PM
Subscribers

Details

Reviewers
btrahan
Commits
Restricted Diffusion Commit
rP039b8e43b98c: Whitelist allowed editor protocols
Summary

This is the other half of D8548. Specifically, the attack here was to set your own editor link to javascript\n:... and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (uri.allowed-protocols) in general.

Test Plan

Tried to set and use valid/invalid editor URIs.

Screen_Shot_2014-03-17_at_11.45.33_AM.png (996×1 px, 115 KB)

Screen_Shot_2014-03-17_at_11.45.29_AM.png (996×1 px, 205 KB)

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley retitled this revision from to Whitelist allowed editor protocols.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
  • Do a cleaner job when no editor link is configured.
btrahan edited edge metadata.
btrahan added inline comments.
src/applications/config/option/PhabricatorSecurityConfigOptions.php
164

maybe link "Let us know" to the feedback article?

This revision is now accepted and ready to land.Mar 17 2014, 7:40 PM
epriestley edited edge metadata.
  • Link to documentation.
epriestley updated this revision to Diff 20296.

Closed by commit rP039b8e43b98c (authored by @epriestley).