Diffusion Phabricator 4f8147dbb8c0

Improve protection against SSRF attacks
4f8147dbb8c0
Actions

Description

Improve protection against SSRF attacks

Summary:
Ref T6755. This improves our resistance to SSRF attacks:

Follow redirects manually and verify each component of the redirect chain.
Handle authentication provider profile picture fetches more strictly.

Test Plan:

Tried to download macros from various URIs which issued redirects, etc.
Downloaded an actual macro.
Went through external account workflow.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12151

Details

Provenance

epriestley	Authored on
epriestley	Pushed on Mar 25 2015, 1:49 AM

Reviewer

btrahan

Differential Revision

D12151: Improve protection against SSRF attacks

Parents

rP22b2b8eb893a: Fix a bad call in file chunk destruction

Branches

Unknown

Tags

Unknown

Tasks

T6755: Allow more granular configuration of `security.allow-outbound-http`

Event Timeline

epriestley committed rP4f8147dbb8c0: Improve protection against SSRF attacks (authored by epriestley).Mar 25 2015, 1:49 AM

epriestley added a task: T6755: Allow more granular configuration of `security.allow-outbound-http`.

Mnkras mentioned this in T7670: Unable to remove self from Conpherence.Mar 26 2015, 11:00 PM

Changes (2)

Path

Size

src/

applications/

auth/

provider/

PhabricatorAuthProvider.php

files/

storage/

PhabricatorFile.php

rP4f8147dbb8c0

View Options

src/applications/auth/provider/PhabricatorAuthProvider.php