Page MenuHomePhabricator

Fix a CSRF issue with adding new email addresses
ClosedPublic

Authored by epriestley on Jun 30 2016, 3:25 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Jun 30, 11:18 AM
Unknown Object (File)
Sun, Jun 29, 5:15 AM
Unknown Object (File)
Sat, Jun 28, 11:12 AM
Unknown Object (File)
Tue, Jun 17, 5:34 AM
Unknown Object (File)
May 26 2025, 12:40 PM
Unknown Object (File)
May 25 2025, 11:09 PM
Unknown Object (File)
May 20 2025, 10:47 AM
Unknown Object (File)
May 10 2025, 10:08 AM
Subscribers
None

Details

Summary

The first dialog was being given the wrong user ($user, should be $viewer), leading to a CSRF issue.

(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)

Use newDialog() instead.

(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)

Test Plan
  • Added a new email address.
  • Clicked "Done" on the last step.
  • Completed workflow instead of getting a CSRF error.

Diff Detail

Repository
rP Phabricator
Branch
csrf1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 12841
Build 16363: Run Core Tests
Build 16362: arc lint + arc unit

Event Timeline

epriestley retitled this revision from to Fix a CSRF issue with adding new email addresses.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
tide added a reviewer: tide.
This revision is now accepted and ready to land.Jun 30 2016, 3:31 PM
This revision was automatically updated to reflect the committed changes.