@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole
Summary:
Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.
This secret isn't critical to protect (it's the //hash// of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where `%P` is a more appropriate conversion.
Test Plan:
Note "*********" in the middle of the output here, instead of a session key hash:
{F6012805}
Reviewers: amckinley
Reviewed By: amckinley
Maniphest Tasks: T13217, T13216, T6960
Differential Revision: https://secure.phabricator.com/D19812
+2
-2
+2
-2
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+2
-2
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
···
127
127
u.*
128
128
%Q
129
129
FROM %T u JOIN %T s ON u.phid = s.userPHID
130
-
AND s.type = %s AND s.sessionKey = %s %Q',
130
+
AND s.type = %s AND s.sessionKey = %P %Q',
131
131
$cache_selects,
132
132
$user_table->getTableName(),
133
133
$session_table->getTableName(),
134
134
$session_type,
135
-
$session_key,
135
+
new PhutilOpaqueEnvelope($session_key),
136
136
$cache_joins);
137
137
138
138
if (!$info) {