Page MenuHomePhabricator
Differential D8551

Whitelist allowed editor protocols
ClosedPublic
Actions

Authored by epriestley on Mar 17 2014, 6:55 PM.
Tags
None
Referenced Files
F14352788: D8551.diff
Thu, Dec 19, 2:45 PM
Unknown Object (File)
Sun, Dec 15, 2:40 AM
Unknown Object (File)
Thu, Dec 5, 10:16 PM
Unknown Object (File)
Mon, Dec 2, 12:03 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
Unknown Object (File)
Fri, Nov 29, 2:06 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Commits
Restricted Diffusion Commit
rP039b8e43b98c: Whitelist allowed editor protocols
Summary

This is the other half of D8548. Specifically, the attack here was to set your own editor link to javascript\n:... and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (uri.allowed-protocols) in general.

Test Plan

Tried to set and use valid/invalid editor URIs.

Screen_Shot_2014-03-17_at_11.45.33_AM.png (996×1 px, 115 KB)

Screen_Shot_2014-03-17_at_11.45.29_AM.png (996×1 px, 205 KB)

Diff Detail

Repository
rP Phabricator
Branch
whitelisteditorproto
Lint
Lint Passed
Unit
Tests Passed

Event Timeline

epriestley updated this revision to Diff 20291.Mar 17 2014, 6:55 PM
epriestley retitled this revision from to Whitelist allowed editor protocols.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
Herald added a subscriber: epriestley.Mar 17 2014, 6:55 PM
epriestley updated this revision to Diff 20292.Mar 17 2014, 6:59 PM
  • Do a cleaner job when no editor link is configured.
btrahan accepted this revision.Mar 17 2014, 7:40 PM
btrahan edited edge metadata.
btrahan added inline comments.
src/applications/config/option/PhabricatorSecurityConfigOptions.php
161

maybe link "Let us know" to the feedback article?

This revision is now accepted and ready to land.Mar 17 2014, 7:40 PM
epriestley updated this revision to Diff 20295.Mar 17 2014, 8:00 PM
epriestley edited edge metadata.
  • Link to documentation.
epriestley closed this revision.Mar 17 2014, 8:00 PM
epriestley updated this revision to Diff 20296.

Closed by commit rP039b8e43b98c (authored by @epriestley).

chad mentioned this in D10503: Check editor protocol from raw user preference.Sep 16 2014, 4:19 PM
epriestley mentioned this in T11257: HTML in Diffusion not escaped in certain circumstances.Jul 2 2016, 2:49 PM

Revision Contents
Changeset List

PathSize
src/
6 lines
aphront/
configuration/
3 lines
applications/
config/
option/
34 lines
help/
application/
22 lines
controller/
52 lines
people/
storage/
26 lines
settings/
panel/
37 lines
support/
application/
21 lines

Diff 20292

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/aphront/configuration/AphrontDefaultApplicationConfiguration.php

Loading...
View Options

src/applications/config/option/PhabricatorSecurityConfigOptions.php

Loading...
View Options

src/applications/help/application/PhabricatorApplicationHelp.php

Loading...
View Options

src/applications/help/controller/PhabricatorHelpEditorProtocolController.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
View Options

src/applications/settings/panel/PhabricatorSettingsPanelDisplayPreferences.php

Loading...
View Options

src/applications/support/application/PhabricatorApplicationSupport.php

Loading...
Phabricator · Built by Phacility