HomePhabricator
Diffusion Phabricator a566ae373015

Require a CSRF code for Twitter and JIRA (OAuth 1) logins
a566ae373015
Actions

Description

Require a CSRF code for Twitter and JIRA (OAuth 1) logins

Summary:
OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan:

  • Logged in with JIRA.
  • Logged in with Twitter.
  • Logged in with Facebook (an OAuth2 provider).
  • Linked a Twitter account.
  • Linked a Facebook account.
  • Jiggered codes in URIs and verified that I got the exceptions I expected.

Reviewers: btrahan, arice

Reviewed By: arice

CC: arice, chad, aran

Differential Revision: https://secure.phabricator.com/D8318

Details

Provenance
epriestleyAuthored on
epriestleyPushed on Feb 24 2014, 12:39 AM
Reviewer
arice
Differential Revision
D8318: Require a CSRF code for Twitter and JIRA (OAuth 1) logins
Parents
rP438915032ae3: Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (5)

PathSize
src/
applications/
auth/
application/
controller/
provider/

rPa566ae373015

View Options

src/applications/auth/application/PhabricatorApplicationAuth.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthLoginController.php

Loading...
View Options

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...
View Options

src/applications/auth/provider/PhabricatorAuthProviderOAuth.php

Loading...
View Options

src/applications/auth/provider/PhabricatorAuthProviderOAuth1.php

Loading...
Phabricator ยท Built by Phacility