HomePhabricator
Diffusion Phabricator 49483bdb4823

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
49483bdb4823
Actions

Description

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Summary:
Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the hash of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where %P is a more appropriate conversion.

Test Plan:
Note "*****" in the middle of the output here, instead of a session key hash:

Screen Shot 2018-11-15 at 5.28.57 AM.png (333×1 px, 102 KB)

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13217, T13216, T6960

Differential Revision: https://secure.phabricator.com/D19812

Details

Provenance
epriestleyAuthored on Nov 15 2018, 1:28 PM
epriestleyPushed on Nov 16 2018, 8:36 PM
Reviewer
amckinley
Differential Revision
D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
Parents
rPb2e91d220539: Move the "container updated" message for Buildables that build Diffs outside of…
Branches
Unknown
Tags
Unknown
Tasks
T6960: Support %P in qsprintf()
T13216: 2018 Week 45-47 Bonus Content
T13217: Upgrading: Hardening of qsprintf()
Build Status
Buildable 21179
Build 28797: Run Core Tests

Changes (1)

PathSize
src/
applications/
auth/
engine/

rP49483bdb4823

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
Phabricator · Built by Phacility