@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Fix a CSRF issue with adding new email addresses
Summary:
The first dialog was being given the wrong user (`$user`, should be `$viewer`), leading to a CSRF issue.
(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)
Use `newDialog()` instead.
(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)
Test Plan:
- Added a new email address.
- Clicked "Done" on the last step.
- Completed workflow instead of getting a CSRF error.
Reviewers: chad, tide
Reviewed By: tide
Differential Revision: https://secure.phabricator.com/D16200
+2
-4
+2
-4
src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php
+2
-4
src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php
···
227
227
228
228
$object->sendVerificationEmail($user);
229
229
230
-
$dialog = id(new AphrontDialogView())
231
-
->setUser($user)
230
+
$dialog = $this->newDialog()
232
231
->addHiddenInput('new', 'verify')
233
232
->setTitle(pht('Verification Email Sent'))
234
233
->appendChild(phutil_tag('p', array(), pht(
···
259
258
->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
260
259
->setError($e_email));
261
260
262
-
$dialog = id(new AphrontDialogView())
263
-
->setUser($viewer)
261
+
$dialog = $this->newDialog()
264
262
->addHiddenInput('new', 'true')
265
263
->setTitle(pht('New Address'))
266
264
->appendChild($errors)