Page MenuHomePhabricator

D8481.diff
No OneTemporary

D8481.diff

diff --git a/src/applications/phame/controller/blog/PhameBlogLiveController.php b/src/applications/phame/controller/blog/PhameBlogLiveController.php
--- a/src/applications/phame/controller/blog/PhameBlogLiveController.php
+++ b/src/applications/phame/controller/blog/PhameBlogLiveController.php
@@ -30,39 +30,42 @@
}
if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) {
- $base_uri = 'http://'.$blog->getDomain().'/';
- if ($request->isFormPost()) {
- return id(new AphrontRedirectResponse())
- ->setURI($base_uri.$this->more);
- } else {
- // If we don't have CSRF, return a dialog instead of automatically
- // redirecting, to prevent this endpoint from serving semi-open
- // redirects.
- $dialog = id(new AphrontDialogView())
- ->setTitle(pht('Blog Moved'))
- ->setUser($user)
- ->appendChild(
- pht('This blog is now hosted at %s.',
- $base_uri))
- ->addSubmitButton(pht('Continue'));
- return id(new AphrontDialogResponse())->setDialog($dialog);
- }
+ $base_uri = $blog->getLiveURI();
+
+ // Don't redirect directly, since the domain is user-controlled and there
+ // are a bevy of security issues associated with automatic redirects to
+ // external domains.
+
+ // Previously we CSRF'd this and someone found a way to pass OAuth
+ // information through it using anchors. Just make users click a normal
+ // link so that this is no more dangerous than any other external link
+ // on the site.
+
+ $dialog = id(new AphrontDialogView())
+ ->setTitle(pht('Blog Moved'))
+ ->setUser($user)
+ ->appendParagraph(pht('This blog is now hosted here:'))
+ ->appendParagraph(
+ phutil_tag(
+ 'a',
+ array(
+ 'href' => $base_uri,
+ ),
+ $base_uri))
+ ->addCancelButton('/');
+
+ return id(new AphrontDialogResponse())->setDialog($dialog);
}
$phame_request = clone $request;
$phame_request->setPath('/'.ltrim($this->more, '/'));
- if ($blog->getDomain()) {
- $uri = new PhutilURI('http://'.$blog->getDomain().'/');
- } else {
- $uri = '/phame/live/'.$blog->getID().'/';
- $uri = PhabricatorEnv::getURI($uri);
- }
+ $uri = $blog->getLiveURI();
$skin = $blog->getSkinRenderer($phame_request);
$skin
->setBlog($blog)
- ->setBaseURI((string)$uri);
+ ->setBaseURI($uri);
$skin->willProcessRequest(array());
return $skin->processRequest();
diff --git a/src/applications/phame/controller/blog/PhameBlogViewController.php b/src/applications/phame/controller/blog/PhameBlogViewController.php
--- a/src/applications/phame/controller/blog/PhameBlogViewController.php
+++ b/src/applications/phame/controller/blog/PhameBlogViewController.php
@@ -158,8 +158,6 @@
$blog,
PhabricatorPolicyCapability::CAN_JOIN);
- $must_use_form = $blog->getDomain();
-
$actions->addAction(
id(new PhabricatorActionView())
->setIcon('new')
@@ -172,8 +170,7 @@
id(new PhabricatorActionView())
->setUser($user)
->setIcon('world')
- ->setHref($this->getApplicationURI('live/'.$blog->getID().'/'))
- ->setRenderAsForm($must_use_form)
+ ->setHref($blog->getLiveURI())
->setName(pht('View Live')));
$actions->addAction(
diff --git a/src/applications/phame/controller/post/PhamePostViewController.php b/src/applications/phame/controller/post/PhamePostViewController.php
--- a/src/applications/phame/controller/post/PhamePostViewController.php
+++ b/src/applications/phame/controller/post/PhamePostViewController.php
@@ -141,14 +141,13 @@
$blog = $post->getBlog();
$can_view_live = $blog && !$post->isDraft();
- $must_use_form = $blog && $blog->getDomain();
if ($can_view_live) {
- $live_uri = 'live/'.$blog->getID().'/post/'.$post->getPhameTitle();
+ $live_uri = $blog->getLiveURI($post);
} else {
$live_uri = 'post/notlive/'.$post->getID().'/';
+ $live_uri = $this->getApplicationURI($live_uri);
}
- $live_uri = $this->getApplicationURI($live_uri);
$actions->addAction(
id(new PhabricatorActionView())
@@ -156,7 +155,6 @@
->setIcon('world')
->setHref($live_uri)
->setName(pht('View Live'))
- ->setRenderAsForm($must_use_form)
->setDisabled(!$can_view_live)
->setWorkflow(!$can_view_live));
diff --git a/src/applications/phame/storage/PhameBlog.php b/src/applications/phame/storage/PhameBlog.php
--- a/src/applications/phame/storage/PhameBlog.php
+++ b/src/applications/phame/storage/PhameBlog.php
@@ -136,6 +136,21 @@
return self::$requestBlog;
}
+ public function getLiveURI(PhamePost $post = null) {
+ if ($this->getDomain()) {
+ $base = new PhutilURI('http://'.$this->getDomain().'/');
+ } else {
+ $base = '/phame/live/'.$this->getID().'/';
+ $base = PhabricatorEnv::getURI($base);
+ }
+
+ if ($post) {
+ $base .= '/post/'.$post->getPhameTitle();
+ }
+
+ return $base;
+ }
+
/* -( PhabricatorPolicyInterface Implementation )-------------------------- */

File Metadata

Mime Type
text/plain
Expires
Sat, Dec 21, 9:39 AM (17 h, 28 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6913463
Default Alt Text
D8481.diff (5 KB)

Event Timeline