Page MenuHomePhabricator
Differential D12151

Improve protection against SSRF attacks
ClosedPublic
Actions

Authored by epriestley on Mar 25 2015, 12:49 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Apr 10, 3:35 PM
Unknown Object (File)
Tue, Apr 9, 7:44 PM
Unknown Object (File)
Sun, Apr 7, 11:52 AM
Unknown Object (File)
Sat, Apr 6, 8:35 AM
Unknown Object (File)
Wed, Apr 3, 7:25 PM
Unknown Object (File)
Wed, Apr 3, 9:13 AM
Unknown Object (File)
Fri, Mar 29, 10:44 PM
Unknown Object (File)
Thu, Mar 28, 8:45 PM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T6755: Allow more granular configuration of `security.allow-outbound-http`
Commits
Restricted Diffusion Commit
rP4f8147dbb8c0: Improve protection against SSRF attacks
Summary

Ref T6755. This improves our resistance to SSRF attacks:

  • Follow redirects manually and verify each component of the redirect chain.
  • Handle authentication provider profile picture fetches more strictly.
Test Plan
  • Tried to download macros from various URIs which issued redirects, etc.
  • Downloaded an actual macro.
  • Went through external account workflow.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 29209.Mar 25 2015, 12:49 AM
epriestley retitled this revision from to Improve protection against SSRF attacks.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T6755: Allow more granular configuration of `security.allow-outbound-http`.
Herald added a subscriber: epriestley. · View Herald TranscriptMar 25 2015, 12:49 AM
epriestley mentioned this in T6755: Allow more granular configuration of `security.allow-outbound-http`.Mar 25 2015, 12:59 AM
btrahan accepted this revision.Mar 25 2015, 1:37 AM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Mar 25 2015, 1:37 AM
Closed by commit rP4f8147dbb8c0: Improve protection against SSRF attacks (authored by epriestley, committed by epriestley). · Explain WhyMar 25 2015, 1:49 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
provider/
14 lines
files/
storage/
97 lines

Diff 29213

View Options

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...
View Options

src/applications/files/storage/PhabricatorFile.php

Loading...
Phabricator · Built by Phacility