Diffusion Phabricator 41b9752ba8a3

Fix an OAuthServer issue where an attacker could make a link function over HTTP…
41b9752ba8a3
Actions

Tags

None

Subscribers

None

Description

Fix an OAuthServer issue where an attacker could make a link function over HTTP when it should be HTTPS-only

Summary:
Two behavioral changes:

If the redirect URI for an application is "https", require HTTPS always.
According to my reading of http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2 we need to check both names and values for parameters. Add value checking. I think this makes more sense in general? No one uses this, soooo...

iiam

Test Plan: This has good coverage already; added some tests for the new cases.

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran, btrahan

Differential Revision: https://secure.phabricator.com/D5022

Details

Provenance

Authored on

Reviewer

Differential Revision

Restricted Differential Revision

Parents

rP2191e99b49a2: Delete unused variable

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

src/

applications/

oauthserver/

PhabricatorOAuthServer.php

__tests__/

PhabricatorOAuthServerTestCase.php

rP41b9752ba8a3

src/applications/oauthserver/PhabricatorOAuthServer.php

Loading...

src/applications/oauthserver/tests/PhabricatorOAuthServerTestCase.php

Loading...