Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15461478
D8776.id20829.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D8776.id20829.diff
View Options
diff --git a/src/infrastructure/javelin/markup.php b/src/infrastructure/javelin/markup.php
--- a/src/infrastructure/javelin/markup.php
+++ b/src/infrastructure/javelin/markup.php
@@ -49,25 +49,26 @@
$is_absolute_uri = preg_match('#^(https?:|//)#', $http_action);
if ($is_post) {
- if ($is_absolute_uri) {
- $is_dev = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
- if ($is_dev) {
- $form_domain = id(new PhutilURI($http_action))
- ->getDomain();
- $host_domain = id(new PhutilURI(PhabricatorEnv::getURI('/')))
- ->getDomain();
- if (strtolower($form_domain) == strtolower($host_domain)) {
- throw new Exception(
- pht(
- "You are building a <form /> that submits to Phabricator, but ".
- "has an absolute URI in its 'action' attribute ('%s'). To avoid ".
- "leaking CSRF tokens, Phabricator does not add CSRF information ".
- "to forms with absolute URIs. Instead, use a relative URI.",
- $http_action));
- }
- }
- } else {
+ // NOTE: We only include CSRF tokens if a URI is a local URI on the same
+ // domain. This is an important security feature and prevents forms which
+ // submit to foreign sites from leaking CSRF tokens.
+
+ // In some cases, we may construct a fully-qualified local URI. For example,
+ // we can construct these for download links, depending on configuration.
+
+ // These forms do not receive CSRF tokens, even though they safely could.
+ // This can be confusing, if you're developing for Phabricator and
+ // manage to construct a local form with a fully-qualified URI, since it
+ // won't get CSRF tokens and you'll get an exception at the other end of
+ // the request which is a bit disconnected from the actual root cause.
+
+ // However, this is rare, and there are reasonable cases where this
+ // construction occurs legitimately, and the simplest fix is to omit CSRF
+ // tokens for these URIs in all cases. The error message you receive also
+ // gives you some hints as to this potential source of error.
+
+ if (!$is_absolute_uri) {
$body[] = phutil_tag(
'input',
array(
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Apr 2, 8:35 AM (2 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7385538
Default Alt Text
D8776.id20829.diff (2 KB)
Attached To
Mode
D8776: Remove the developer-specific CSRF help in phabricator_form()
Attached
Detach File
Event Timeline
Log In to Comment