@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Don't prefill "add email address" from GET
Summary: Via HackerOne. I don't think this is a security vulnerability, but it is inconsistent. There's no reason to prefill this, and I think the code was just lazy.
Test Plan:
- Hit this page with `?email=xyz` in a GET request, no more prefill.
- Looped the page with bad addresses, appropriate prefill.
- Added an address.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Differential Revision: https://secure.phabricator.com/D8458
+3
-2
+3
-2
src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
+3
-2
src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
···
161
161
$user = $request->getUser();
162
162
163
163
$e_email = true;
164
-
$email = trim($request->getStr('email'));
164
+
$email = null;
165
165
$errors = array();
166
166
if ($request->isDialogFormPost()) {
167
+
$email = trim($request->getStr('email'));
167
168
168
169
if ($new == 'verify') {
169
170
// The user clicked "Done" from the "an email has been sent" dialog.
···
222
223
id(new AphrontFormTextControl())
223
224
->setLabel(pht('Email'))
224
225
->setName('email')
225
-
->setValue($request->getStr('email'))
226
+
->setValue($email)
226
227
->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
227
228
->setError($e_email));
228
229