recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Polish removal of conduit shield, including legacy stripping for phabricator on phabricator oauth scenarios

Summary: ...just in case that stuff happens in the "wild". also cleaned up the logic here since we no longer have the conduit conditionality.

Test Plan: made sure I didn't break JS on the site. reasoned about logic of my function and asking people PHP typing questions in job interviews.

Reviewers: epriestley, vrana

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T891

Differential Revision: https://secure.phabricator.com/D3269

Bob Trahan 7bb3c39c 8b854912

+8 -8
+1 -1
src/aphront/response/AphrontAjaxResponse.php
··· 67 67 $this->error); 68 68 69 69 $response_json = $this->encodeJSONForHTTPResponse($object); 70 - return $this->addJSONShield($response_json, $use_javelin_shield = true); 70 + return $this->addJSONShield($response_json); 71 71 } 72 72 73 73 public function getHeaders() {
+1 -1
src/aphront/response/AphrontJSONResponse.php
··· 44 44 public function buildResponseString() { 45 45 $response = $this->encodeJSONForHTTPResponse($this->content); 46 46 if ($this->shouldAddJSONShield()) { 47 - $response = $this->addJSONShield($response, $use_javelin_shield = false); 47 + $response = $this->addJSONShield($response); 48 48 } 49 49 return $response; 50 50 }
+2 -6
src/aphront/response/AphrontResponse.php
··· 85 85 return $response; 86 86 } 87 87 88 - protected function addJSONShield($json_response, $use_javelin_shield) { 88 + protected function addJSONShield($json_response) { 89 89 90 90 // Add a shield to prevent "JSON Hijacking" attacks where an attacker 91 91 // requests a JSON response using a normal <script /> tag and then uses ··· 93 93 // This header causes the browser to loop infinitely instead of handing over 94 94 // sensitive data. 95 95 96 - // TODO: This is massively stupid: Javelin and Conduit use different 97 - // shields. 98 - $shield = $use_javelin_shield 99 - ? 'for (;;);' 100 - : 'for(;;);'; 96 + $shield = 'for (;;);'; 101 97 102 98 $response = $shield.$json_response; 103 99
+4
src/applications/auth/oauth/provider/PhabricatorOAuthProviderPhabricator.php
··· 104 104 } 105 105 106 106 public function setUserData($data) { 107 + // legacy conditionally strip shield. see D3265 for discussion. 108 + if (strpos($data, 'for(;;);') === 0) { 109 + $data = substr($data, 8); 110 + } 107 111 $data = idx(json_decode($data, true), 'result'); 108 112 $this->validateUserData($data); 109 113 $this->userData = $data;