Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13173848
D8481.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
5 KB
Referenced Files
None
Subscribers
None
D8481.diff
View Options
diff --git a/src/applications/phame/controller/blog/PhameBlogLiveController.php b/src/applications/phame/controller/blog/PhameBlogLiveController.php
--- a/src/applications/phame/controller/blog/PhameBlogLiveController.php
+++ b/src/applications/phame/controller/blog/PhameBlogLiveController.php
@@ -30,39 +30,42 @@
}
if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) {
- $base_uri = 'http://'.$blog->getDomain().'/';
- if ($request->isFormPost()) {
- return id(new AphrontRedirectResponse())
- ->setURI($base_uri.$this->more);
- } else {
- // If we don't have CSRF, return a dialog instead of automatically
- // redirecting, to prevent this endpoint from serving semi-open
- // redirects.
- $dialog = id(new AphrontDialogView())
- ->setTitle(pht('Blog Moved'))
- ->setUser($user)
- ->appendChild(
- pht('This blog is now hosted at %s.',
- $base_uri))
- ->addSubmitButton(pht('Continue'));
- return id(new AphrontDialogResponse())->setDialog($dialog);
- }
+ $base_uri = $blog->getLiveURI();
+
+ // Don't redirect directly, since the domain is user-controlled and there
+ // are a bevy of security issues associated with automatic redirects to
+ // external domains.
+
+ // Previously we CSRF'd this and someone found a way to pass OAuth
+ // information through it using anchors. Just make users click a normal
+ // link so that this is no more dangerous than any other external link
+ // on the site.
+
+ $dialog = id(new AphrontDialogView())
+ ->setTitle(pht('Blog Moved'))
+ ->setUser($user)
+ ->appendParagraph(pht('This blog is now hosted here:'))
+ ->appendParagraph(
+ phutil_tag(
+ 'a',
+ array(
+ 'href' => $base_uri,
+ ),
+ $base_uri))
+ ->addCancelButton('/');
+
+ return id(new AphrontDialogResponse())->setDialog($dialog);
}
$phame_request = clone $request;
$phame_request->setPath('/'.ltrim($this->more, '/'));
- if ($blog->getDomain()) {
- $uri = new PhutilURI('http://'.$blog->getDomain().'/');
- } else {
- $uri = '/phame/live/'.$blog->getID().'/';
- $uri = PhabricatorEnv::getURI($uri);
- }
+ $uri = $blog->getLiveURI();
$skin = $blog->getSkinRenderer($phame_request);
$skin
->setBlog($blog)
- ->setBaseURI((string)$uri);
+ ->setBaseURI($uri);
$skin->willProcessRequest(array());
return $skin->processRequest();
diff --git a/src/applications/phame/controller/blog/PhameBlogViewController.php b/src/applications/phame/controller/blog/PhameBlogViewController.php
--- a/src/applications/phame/controller/blog/PhameBlogViewController.php
+++ b/src/applications/phame/controller/blog/PhameBlogViewController.php
@@ -158,8 +158,6 @@
$blog,
PhabricatorPolicyCapability::CAN_JOIN);
- $must_use_form = $blog->getDomain();
-
$actions->addAction(
id(new PhabricatorActionView())
->setIcon('new')
@@ -172,8 +170,7 @@
id(new PhabricatorActionView())
->setUser($user)
->setIcon('world')
- ->setHref($this->getApplicationURI('live/'.$blog->getID().'/'))
- ->setRenderAsForm($must_use_form)
+ ->setHref($blog->getLiveURI())
->setName(pht('View Live')));
$actions->addAction(
diff --git a/src/applications/phame/controller/post/PhamePostViewController.php b/src/applications/phame/controller/post/PhamePostViewController.php
--- a/src/applications/phame/controller/post/PhamePostViewController.php
+++ b/src/applications/phame/controller/post/PhamePostViewController.php
@@ -141,14 +141,13 @@
$blog = $post->getBlog();
$can_view_live = $blog && !$post->isDraft();
- $must_use_form = $blog && $blog->getDomain();
if ($can_view_live) {
- $live_uri = 'live/'.$blog->getID().'/post/'.$post->getPhameTitle();
+ $live_uri = $blog->getLiveURI($post);
} else {
$live_uri = 'post/notlive/'.$post->getID().'/';
+ $live_uri = $this->getApplicationURI($live_uri);
}
- $live_uri = $this->getApplicationURI($live_uri);
$actions->addAction(
id(new PhabricatorActionView())
@@ -156,7 +155,6 @@
->setIcon('world')
->setHref($live_uri)
->setName(pht('View Live'))
- ->setRenderAsForm($must_use_form)
->setDisabled(!$can_view_live)
->setWorkflow(!$can_view_live));
diff --git a/src/applications/phame/storage/PhameBlog.php b/src/applications/phame/storage/PhameBlog.php
--- a/src/applications/phame/storage/PhameBlog.php
+++ b/src/applications/phame/storage/PhameBlog.php
@@ -136,6 +136,21 @@
return self::$requestBlog;
}
+ public function getLiveURI(PhamePost $post = null) {
+ if ($this->getDomain()) {
+ $base = new PhutilURI('http://'.$this->getDomain().'/');
+ } else {
+ $base = '/phame/live/'.$this->getID().'/';
+ $base = PhabricatorEnv::getURI($base);
+ }
+
+ if ($post) {
+ $base .= '/post/'.$post->getPhameTitle();
+ }
+
+ return $base;
+ }
+
/* -( PhabricatorPolicyInterface Implementation )-------------------------- */
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, May 8, 9:11 PM (2 w, 20 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6273009
Default Alt Text
D8481.diff (5 KB)
Attached To
Mode
D8481: Don't 302 to an external URI, even after CSRF POST
Attached
Detach File
Event Timeline
Log In to Comment