HomePhabricator
Diffusion Phabricator 039b8e43b98c

Whitelist allowed editor protocols
039b8e43b98c
Actions

Description

Whitelist allowed editor protocols

Summary:
This is the other half of D8548. Specifically, the attack here was to set your own editor link to javascript\n:... and then you could XSS yourself. This isn't a hugely damaging attack, but we can be more certain by adding a whitelist here.

We already whitelist linkable protocols in remarkup (uri.allowed-protocols) in general.

Test Plan:
Tried to set and use valid/invalid editor URIs.

Screen_Shot_2014-03-17_at_11.45.33_AM.png (996×1 px, 115 KB)

Screen_Shot_2014-03-17_at_11.45.29_AM.png (996×1 px, 205 KB)

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8551

Details

Provenance
epriestleyAuthored on
epriestleyPushed on Mar 17 2014, 8:00 PM
Reviewer
btrahan
Differential Revision
D8551: Whitelist allowed editor protocols
Parents
rPced70f6b3278: Make install documentation more clear about Windows support
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (11)

PathSize
src/
aphront/
configuration/
applications/
config/
option/
help/
controller/
people/
storage/
settings/
panel/

rP039b8e43b98c

View Options

src/__phutil_library_map__.php

Loading...
View Options

src/aphront/configuration/AphrontDefaultApplicationConfiguration.php

Loading...
View Options

src/applications/config/option/PhabricatorSecurityConfigOptions.php

Loading...
View Options

src/applications/help/application/PhabricatorApplicationHelp.php

Loading...
View Options

src/applications/help/controller/PhabricatorHelpEditorProtocolController.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
View Options

src/applications/settings/panel/PhabricatorSettingsPanelDisplayPreferences.php

Loading...
View Options

src/applications/support/application/PhabricatorApplicationSupport.php

Loading...
Phabricator · Built by Phacility