recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Store hash of session key

Summary:
This prevents security by obscurity.
If I have read-only access to the database then I can pretend to be any logged-in user.

I've used `PhabricatorHash::digest()` (even though we don't need salt as the hashed string is random) to be compatible with user log.

Test Plan:
Applied patch.
Verified I'm still logged in.
Logged out.
Logged in.

$ arc tasks

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D6080

Jakub Vrana 32f91557 4295de50

+32 -6
+22
resources/sql/patches/20130530.sessionhash.php
··· 1 + <?php 2 + 3 + $table = new PhabricatorUser(); 4 + $table->openTransaction(); 5 + $conn = $table->establishConnection('w'); 6 + 7 + $sessions = queryfx_all( 8 + $conn, 9 + 'SELECT userPHID, type, sessionKey FROM %T FOR UPDATE', 10 + PhabricatorUser::SESSION_TABLE); 11 + 12 + foreach ($sessions as $session) { 13 + queryfx( 14 + $conn, 15 + 'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s', 16 + PhabricatorUser::SESSION_TABLE, 17 + PhabricatorHash::digest($session['sessionKey']), 18 + $session['userPHID'], 19 + $session['type']); 20 + } 21 + 22 + $table->saveTransaction();
+1 -1
src/applications/base/controller/PhabricatorController.php
··· 52 52 $user->getTableName(), 53 53 'phabricator_session', 54 54 'web-', 55 - $phsid); 55 + PhabricatorHash::digest($phsid)); 56 56 if ($info) { 57 57 $user->loadFromArray($info); 58 58 }
+1 -1
src/applications/conduit/controller/PhabricatorConduitAPIController.php
··· 283 283 id(new PhabricatorUser())->establishConnection('r'), 284 284 'SELECT * FROM %T WHERE sessionKey = %s', 285 285 PhabricatorUser::SESSION_TABLE, 286 - $session_key); 286 + PhabricatorHash::digest($session_key)); 287 287 if (!$session) { 288 288 return array( 289 289 'ERR-INVALID-SESSION',
+4 -4
src/applications/people/storage/PhabricatorUser.php
··· 290 290 $try_type = $session_type.'-'.$ii; 291 291 if (!in_array($try_type, $existing_sessions)) { 292 292 $establish_type = $try_type; 293 - $expect_key = $session_key; 293 + $expect_key = PhabricatorHash::digest($session_key); 294 294 $existing_sessions[] = $try_type; 295 295 296 296 // Ensure the row exists so we can issue an update below. We don't ··· 302 302 self::SESSION_TABLE, 303 303 $this->getPHID(), 304 304 $establish_type, 305 - $session_key); 305 + PhabricatorHash::digest($session_key)); 306 306 break; 307 307 } 308 308 } ··· 325 325 'UPDATE %T SET sessionKey = %s, sessionStart = UNIX_TIMESTAMP() 326 326 WHERE userPHID = %s AND type = %s AND sessionKey = %s', 327 327 self::SESSION_TABLE, 328 - $session_key, 328 + PhabricatorHash::digest($session_key), 329 329 $this->getPHID(), 330 330 $establish_type, 331 331 $expect_key); ··· 365 365 'DELETE FROM %T WHERE userPHID = %s AND sessionKey = %s', 366 366 self::SESSION_TABLE, 367 367 $this->getPHID(), 368 - $session_key); 368 + PhabricatorHash::digest($session_key)); 369 369 } 370 370 371 371 private function generateEmailToken(
+4
src/infrastructure/storage/patch/PhabricatorBuiltinPatchList.php
··· 1326 1326 'type' => 'php', 1327 1327 'name' => $this->getPatchPath('20130529.macroauthormig.php'), 1328 1328 ), 1329 + '20130530.sessionhash.php' => array( 1330 + 'type' => 'php', 1331 + 'name' => $this->getPatchPath('20130530.sessionhash.php'), 1332 + ), 1329 1333 ); 1330 1334 } 1331 1335 }