recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

CSRF / Logout

epriestley 29f7219a 58d15064

+152 -7
+2
src/__phutil_library_map__.php
··· 137 137 'PhabricatorFileViewController' => 'applications/files/controller/view', 138 138 'PhabricatorLiskDAO' => 'applications/base/storage/lisk', 139 139 'PhabricatorLoginController' => 'applications/auth/controlller/login', 140 + 'PhabricatorLogoutController' => 'applications/auth/controlller/logout', 140 141 'PhabricatorMailImplementationAdapter' => 'applications/metamta/adapter/base', 141 142 'PhabricatorMailImplementationPHPMailerLiteAdapter' => 'applications/metamta/adapter/phpmailerlite', 142 143 'PhabricatorMetaMTAController' => 'applications/metamta/controller/base', ··· 290 291 'PhabricatorFileViewController' => 'PhabricatorFileController', 291 292 'PhabricatorLiskDAO' => 'LiskDAO', 292 293 'PhabricatorLoginController' => 'PhabricatorAuthController', 294 + 'PhabricatorLogoutController' => 'PhabricatorAuthController', 293 295 'PhabricatorMailImplementationPHPMailerLiteAdapter' => 'PhabricatorMailImplementationAdapter', 294 296 'PhabricatorMetaMTAController' => 'PhabricatorController', 295 297 'PhabricatorMetaMTADAO' => 'PhabricatorLiskDAO',
+1
src/aphront/default/configuration/AphrontDefaultApplicationConfiguration.php
··· 116 116 ), 117 117 118 118 '/login/' => 'PhabricatorLoginController', 119 + '/logout/' => 'PhabricatorLogoutController', 119 120 ); 120 121 } 121 122
+3 -1
src/aphront/request/AphrontRequest.php
··· 86 86 } 87 87 88 88 final public function isFormPost() { 89 - return $this->getExists(self::TYPE_FORM) && $this->isHTTPPost(); 89 + return $this->getExists(self::TYPE_FORM) && 90 + $this->isHTTPPost() && 91 + $this->getUser()->validateCSRFToken($this->getStr('__csrf__')); 90 92 } 91 93 92 94 final public function getCookie($name, $default = null) {
+2 -1
src/applications/auth/controlller/login/PhabricatorLoginController.php
··· 26 26 $request = $this->getRequest(); 27 27 28 28 $error = false; 29 - $login_name = $request->getCookie('phu'); 29 + $login_name = $request->getCookie('phusr'); 30 30 if ($request->isFormPost()) { 31 31 $login_name = $request->getStr('login'); 32 32 ··· 89 89 90 90 $form = new AphrontFormView(); 91 91 $form 92 + ->setUser($request->getUser()) 92 93 ->setAction('/login/') 93 94 ->appendChild( 94 95 id(new AphrontFormTextControl())
+37
src/applications/auth/controlller/logout/PhabricatorLogoutController.php
··· 1 + <?php 2 + 3 + /* 4 + * Copyright 2011 Facebook, Inc. 5 + * 6 + * Licensed under the Apache License, Version 2.0 (the "License"); 7 + * you may not use this file except in compliance with the License. 8 + * You may obtain a copy of the License at 9 + * 10 + * http://www.apache.org/licenses/LICENSE-2.0 11 + * 12 + * Unless required by applicable law or agreed to in writing, software 13 + * distributed under the License is distributed on an "AS IS" BASIS, 14 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 + * See the License for the specific language governing permissions and 16 + * limitations under the License. 17 + */ 18 + 19 + class PhabricatorLogoutController extends PhabricatorAuthController { 20 + 21 + public function shouldRequireLogin() { 22 + return true; 23 + } 24 + 25 + public function processRequest() { 26 + $request = $this->getRequest(); 27 + 28 + if ($request->isFormPost()) { 29 + $request->clearCookie('phsid'); 30 + return id(new AphrontRedirectResponse()) 31 + ->setURI('/login/'); 32 + } 33 + 34 + return id(new AphrontRedirectResponse())->setURI('/'); 35 + } 36 + 37 + }
+15
src/applications/auth/controlller/logout/__init__.php
··· 1 + <?php 2 + /** 3 + * This file is automatically generated. Lint this module to rebuild it. 4 + * @generated 5 + */ 6 + 7 + 8 + 9 + phutil_require_module('phabricator', 'aphront/response/redirect'); 10 + phutil_require_module('phabricator', 'applications/auth/controlller/base'); 11 + 12 + phutil_require_module('phutil', 'utils'); 13 + 14 + 15 + phutil_require_source('PhabricatorLogoutController.php');
+4
src/applications/conduit/controller/console/PhabricatorConduitConsoleController.php
··· 26 26 } 27 27 28 28 public function processRequest() { 29 + 30 + $request = $this->getRequest(); 31 + 29 32 $methods = $this->getAllMethods(); 30 33 if (empty($methods[$this->method])) { 31 34 $this->method = key($methods); ··· 55 58 56 59 $form = new AphrontFormView(); 57 60 $form 61 + ->setUser($request->getUser()) 58 62 ->setAction('/api/'.$this->method) 59 63 ->appendChild( 60 64 id(new AphrontFormStaticControl())
+3
src/applications/differential/controller/diffview/DifferentialDiffViewController.php
··· 25 25 } 26 26 27 27 public function processRequest() { 28 + $request = $this->getRequest(); 29 + 28 30 $diff = id(new DifferentialDiff())->load($this->id); 29 31 if (!$diff) { 30 32 return new Aphront404Response(); ··· 40 42 41 43 $action_form = new AphrontFormView(); 42 44 $action_form 45 + ->setUser($request->getUser()) 43 46 ->setAction('/differential/revision/edit/') 44 47 ->addHiddenInput('diffID', $diff->getID()) 45 48 ->addHiddenInput('viaDiffView', 1)
+1
src/applications/differential/controller/revisionedit/DifferentialRevisionEditController.php
··· 100 100 } 101 101 102 102 $form = new AphrontFormView(); 103 + $form->setUser($request->getUser()); 103 104 if ($diff) { 104 105 $form->addHiddenInput('diffID', $diff->getID()); 105 106 }
+1
src/applications/differential/controller/revisionview/DifferentialRevisionViewController.php
··· 84 84 $comment_form->setRevision($revision); 85 85 $comment_form->setActions($this->getRevisionCommentActions($revision)); 86 86 $comment_form->setActionURI('/differential/comment/save/'); 87 + $comment_form->setUser($request->getUser()); 87 88 88 89 return $this->buildStandardPageResponse( 89 90 '<div class="differential-primary-pane">'.
+6 -1
src/applications/differential/view/addcomment/DifferentialAddCommentView.php
··· 21 21 private $revision; 22 22 private $actions; 23 23 private $actionURI; 24 + private $user; 24 25 25 26 public function setRevision($revision) { 26 27 $this->revision = $revision; ··· 36 37 $this->actionURI = $uri; 37 38 } 38 39 39 - public function render() { 40 + public function setUser(PhabricatorUser $user) { 41 + $this->user = $user; 42 + } 40 43 44 + public function render() { 41 45 $revision = $this->revision; 42 46 43 47 $actions = array(); ··· 47 51 48 52 $form = new AphrontFormView(); 49 53 $form 54 + ->setUser($this->user) 50 55 ->setAction($this->actionURI) 51 56 ->addHiddenInput('revision_id', $revision->getID()) 52 57 ->appendChild(
+1
src/applications/directory/controller/categoryedit/PhabricatorDirectoryCategoryEditController.php
··· 64 64 } 65 65 66 66 $form = new AphrontFormView(); 67 + $form->setUser($request->getUser()); 67 68 if ($category->getID()) { 68 69 $form->setAction('/directory/category/edit/'.$category->getID().'/'); 69 70 } else {
+2
src/applications/directory/controller/itemedit/PhabricatorDirectoryItemEditController.php
··· 73 73 } 74 74 75 75 $form = new AphrontFormView(); 76 + $form->setUser($request->getUser()); 77 + 76 78 if ($item->getID()) { 77 79 $form->setAction('/directory/item/edit/'.$item->getID().'/'); 78 80 } else {
+1
src/applications/files/controller/upload/PhabricatorFileUploadController.php
··· 34 34 35 35 $form = new AphrontFormView(); 36 36 $form->setAction('/file/upload/'); 37 + $form->setUser($request->getUser()); 37 38 38 39 $form 39 40 ->setEncType('multipart/form-data')
+1
src/applications/metamta/controller/mailinglistedit/PhabricatorMetaMTAMailingListEditController.php
··· 65 65 } 66 66 67 67 $form = new AphrontFormView(); 68 + $form->setUser($request->getUser()); 68 69 if ($list->getID()) { 69 70 $form->setAction('/mail/lists/edit/'.$list->getID().'/'); 70 71 } else {
+1
src/applications/metamta/controller/send/PhabricatorMetaMTASendController.php
··· 49 49 50 50 51 51 $form = new AphrontFormView(); 52 + $form->setUser($request->getUser()); 52 53 $form->setAction('/mail/send/'); 53 54 $form 54 55 ->appendChild(
+4 -1
src/applications/metamta/controller/view/PhabricatorMetaMTAViewController.php
··· 26 26 27 27 public function processRequest() { 28 28 29 + $request = $this->getRequest(); 30 + 29 31 $mail = id(new PhabricatorMetaMTAMail())->load($this->id); 30 32 if (!$mail) { 31 33 return new Aphront404Response(); 32 34 } 33 - 35 + 34 36 $status = PhabricatorMetaMTAMail::getReadableStatus($mail->getStatus()); 35 37 36 38 $form = new AphrontFormView(); 39 + $form->setUser($request->getUser()); 37 40 $form->setAction('/mail/send/'); 38 41 $form 39 42 ->appendChild(
+1
src/applications/people/controller/edit/PhabricatorPeopleEditController.php
··· 84 84 } 85 85 86 86 $form = new AphrontFormView(); 87 + $form->setUser($request->getUser()); 87 88 if ($user->getUsername()) { 88 89 $form->setAction('/people/edit/'.$user->getUsername().'/'); 89 90 } else {
+27
src/applications/people/storage/user/PhabricatorUser.php
··· 27 27 protected $passwordSalt; 28 28 protected $passwordHash; 29 29 30 + private $sessionKey; 31 + 30 32 public function getConfiguration() { 31 33 return array( 32 34 self::CONFIG_AUX_PHID => true, ··· 58 60 $password = md5($password); 59 61 } 60 62 return $password; 63 + } 64 + 65 + const CSRF_CYCLE_FREQUENCY = 3600; 66 + 67 + public function getCSRFToken() { 68 + return $this->generateCSRFToken(time()); 69 + } 70 + 71 + public function validateCSRFToken($token) { 72 + for ($ii = -1; $ii <= 1; $ii++) { 73 + $time = time() + (self::CSRF_CYCLE_FREQUENCY * $ii); 74 + $valid = $this->generateCSRFToken($time); 75 + if ($token == $valid) { 76 + return true; 77 + } 78 + } 79 + return false; 80 + } 81 + 82 + private function generateCSRFToken($epoch) { 83 + $time_block = floor($epoch / (60 * 60)); 84 + // TODO: this should be a secret lolol 85 + $key = '0b7ec0592e0a2829d8b71df2fa269b2c6172eca3'; 86 + $vec = $this->getPHID().$this->passwordHash.$key.$time_block; 87 + return substr(md5($vec), 0, 16); 61 88 } 62 89 63 90 }
+2 -1
src/applications/phid/controller/allocate/PhabricatorPHIDAllocateController.php
··· 31 31 } 32 32 33 33 $types = id(new PhabricatorPHIDType())->loadAll(); 34 - 34 + 35 35 $options = array(); 36 36 foreach ($types as $type) { 37 37 $options[$type->getType()] = $type->getType().': '.$type->getName(); ··· 39 39 asort($options); 40 40 41 41 $form = new AphrontFormView(); 42 + $form->setUser($request->getUser()); 42 43 $form->setAction('/phid/new/'); 43 44 44 45 $form
+1
src/applications/phid/controller/allocate/__init__.php
··· 14 14 phutil_require_module('phabricator', 'view/form/control/submit'); 15 15 phutil_require_module('phabricator', 'view/layout/panel'); 16 16 17 + phutil_require_module('phutil', 'markup'); 17 18 phutil_require_module('phutil', 'utils'); 18 19 19 20
+1
src/applications/phid/controller/lookup/PhabricatorPHIDLookupController.php
··· 82 82 } 83 83 84 84 $lookup_form = new AphrontFormView(); 85 + $lookup_form->setUser($request->getUser()); 85 86 $lookup_form 86 87 ->setAction('/phid/') 87 88 ->appendChild(
+3
src/applications/phid/controller/typeedit/PhabricatorPHIDTypeEditController.php
··· 73 73 } 74 74 75 75 $form = new AphrontFormView(); 76 + $form->setUser($request->getUser()); 77 + 76 78 if ($type->getID()) { 77 79 $form->setAction('/phid/type/edit/'.$type->getID().'/'); 78 80 } else { ··· 84 86 } else { 85 87 $type_immutable = false; 86 88 } 89 + 87 90 88 91 $form 89 92 ->appendChild(
+11
src/view/form/base/AphrontFormView.php
··· 23 23 private $header; 24 24 private $data = array(); 25 25 private $encType; 26 + private $user; 27 + 28 + public function setUser(PhabricatorUser $user) { 29 + $this->user = $user; 30 + return $this; 31 + } 26 32 27 33 public function setAction($action) { 28 34 $this->action = $action; ··· 59 65 } 60 66 61 67 private function renderDataInputs() { 68 + if (!$this->user) { 69 + throw new Exception('You must pass the user to AphrontFormView.'); 70 + } 71 + 62 72 $data = $this->data + array( 63 73 '__form__' => 1, 74 + '__csrf__' => $this->user->getCSRFToken(), 64 75 ); 65 76 $inputs = array(); 66 77 foreach ($data as $key => $value) {
+20 -1
src/view/page/standard/PhabricatorStandardPageView.php
··· 117 117 if ($request) { 118 118 $user = $request->getUser(); 119 119 if ($user->getPHID()) { 120 - $login_stuff = 'Logged in as '.phutil_escape_html($user->getUsername()); 120 + $login_stuff = 121 + 'Logged in as '.phutil_escape_html($user->getUsername()). 122 + ' &middot; '. 123 + '<form action="/logout/" method="post" style="display: inline;">'. 124 + phutil_render_tag( 125 + 'input', 126 + array( 127 + 'type' => 'hidden', 128 + 'name' => '__csrf__', 129 + 'value' => $user->getCSRFToken(), 130 + )). 131 + phutil_render_tag( 132 + 'input', 133 + array( 134 + 'type' => 'hidden', 135 + 'name' => '__form__', 136 + 'value' => true, 137 + )). 138 + '<button class="small grey">Logout</button>'. 139 + '</form>'; 121 140 } 122 141 } 123 142
+1 -1
src/view/utils/viewutils.php
··· 26 26 27 27 function phabricator_format_timestamp($epoch) { 28 28 $difference = (time() - $epoch); 29 - 29 + 30 30 if ($difference < 60 * 60) { 31 31 return phabricator_format_relative_time($difference).' ago'; 32 32 } else if (date('Y') == date('Y', $epoch)) {