Page MenuHomePhabricator

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
ClosedPublic

Authored by epriestley on Nov 15 2018, 1:31 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 22, 1:11 AM
Unknown Object (File)
Thu, Dec 12, 10:34 PM
Unknown Object (File)
Wed, Dec 11, 4:21 PM
Unknown Object (File)
Sat, Dec 7, 11:02 AM
Unknown Object (File)
Tue, Dec 3, 4:20 PM
Unknown Object (File)
Tue, Dec 3, 2:58 PM
Unknown Object (File)
Fri, Nov 29, 8:09 AM
Unknown Object (File)
Thu, Nov 28, 2:15 PM
Subscribers
None

Details

Summary

Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the hash of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where %P is a more appropriate conversion.

Test Plan

Note "*****" in the middle of the output here, instead of a session key hash:

Screen Shot 2018-11-15 at 5.28.57 AM.png (333×1 px, 102 KB)

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable