@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Fix an open redirect issue in Phame with "View Live"
Summary: Currently, you can set a blog URI to "evil.com" and then the live controller will issue a redirect. Instead, require a CSRF check. If it fails, pop a "this blog has moved" dialog.
Test Plan:
- Clicked "View Live" for in-app and on-domain blogs and posts.
- Hit URI directly.
{F33302}
Reviewers: vrana
Reviewed By: vrana
CC: cbg, aran
Differential Revision: https://secure.phabricator.com/D5021
+21
-2
+17
-2
src/applications/phame/controller/blog/PhameBlogLiveController.php
+17
-2
src/applications/phame/controller/blog/PhameBlogLiveController.php
···
30
30
}
31
31
32
32
if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) {
33
-
return id(new AphrontRedirectResponse())
34
-
->setURI('http://'.$blog->getDomain().'/'.$this->more);
33
+
$base_uri = 'http://'.$blog->getDomain().'/';
34
+
if ($request->isFormPost()) {
35
+
return id(new AphrontRedirectResponse())
36
+
->setURI($base_uri.$this->more);
37
+
} else {
38
+
// If we don't have CSRF, return a dialog instead of automatically
39
+
// redirecting, to prevent this endpoint from serving semi-open
40
+
// redirects.
41
+
$dialog = id(new AphrontDialogView())
42
+
->setTitle(pht('Blog Moved'))
43
+
->setUser($user)
44
+
->appendChild(
45
+
pht('This blog is now hosted at %s.',
46
+
$base_uri))
47
+
->addSubmitButton(pht('Continue'));
48
+
return id(new AphrontDialogResponse())->setDialog($dialog);
49
+
}
35
50
}
36
51
37
52
$phame_request = clone $request;
+2
src/applications/phame/controller/blog/PhameBlogViewController.php
+2
src/applications/phame/controller/blog/PhameBlogViewController.php
···
133
133
134
134
$actions->addAction(
135
135
id(new PhabricatorActionView())
136
+
->setUser($user)
136
137
->setIcon('world')
137
138
->setHref($this->getApplicationURI('live/'.$blog->getID().'/'))
139
+
->setRenderAsForm(true)
138
140
->setName(pht('View Live')));
139
141
140
142
$actions->addAction(
+2
src/applications/phame/controller/post/PhamePostViewController.php
+2
src/applications/phame/controller/post/PhamePostViewController.php
···
139
139
140
140
$actions->addAction(
141
141
id(new PhabricatorActionView())
142
+
->setUser($user)
142
143
->setIcon('world')
143
144
->setHref($live_uri)
144
145
->setName(pht('View Live'))
146
+
->setRenderAsForm(true)
145
147
->setDisabled(!$can_view_live)
146
148
->setWorkflow(!$can_view_live));
147
149