recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Reject Phame domains which include a port number

Summary: Via HackerOne. This doesn't actually have any security impact as far as we can tell, but a researcher reported it since it seems suspicious. At a minimum, it could be confusing. Also improve some i18n stuff.

Test Plan: Hit all the error cases, then saved a valid custom domain.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: aran, epriestley

Differential Revision: https://secure.phabricator.com/D8493

epriestley ad88ff28 740757fd

+23 -8
+23 -8
src/applications/phame/storage/PhameBlog.php
··· 68 68 * @return string 69 69 */ 70 70 public function validateCustomDomain($custom_domain) { 71 - $example_domain = '(e.g. blog.example.com)'; 72 - $valid = ''; 71 + $example_domain = 'blog.example.com'; 73 72 74 73 // note this "uri" should be pretty busted given the desired input 75 74 // so just use it to test if there's a protocol specified 76 75 $uri = new PhutilURI($custom_domain); 77 76 if ($uri->getProtocol()) { 78 - return 'Do not specify a protocol, just the domain. '.$example_domain; 77 + return pht( 78 + 'The custom domain should not include a protocol. Just provide '. 79 + 'the bare domain name (for example, "%s").', 80 + $example_domain); 81 + } 82 + 83 + if ($uri->getPort()) { 84 + return pht( 85 + 'The custom domain should not include a port number. Just provide '. 86 + 'the bare domain name (for example, "%s").', 87 + $example_domain); 79 88 } 80 89 81 90 if (strpos($custom_domain, '/') !== false) { 82 - return 'Do not specify a path, just the domain. '.$example_domain; 91 + return pht( 92 + 'The custom domain should not specify a path (hosting a Phame '. 93 + 'blog at a path is currently not supported). Instead, just provide '. 94 + 'the bare domain name (for example, "%s").', 95 + $example_domain); 83 96 } 84 97 85 98 if (strpos($custom_domain, '.') === false) { 86 - return 'Custom domain must contain at least one dot (.) because '. 87 - 'some browsers fail to set cookies on domains such as '. 88 - 'http://example. '.$example_domain; 99 + return pht( 100 + 'The custom domain should contain at least one dot (.) because '. 101 + 'some browsers fail to set cookies on domains without a dot. Instead, '. 102 + 'use a normal looking domain name like "%s".', 103 + $example_domain); 89 104 } 90 105 91 - return $valid; 106 + return null; 92 107 } 93 108 94 109 public function getBloggerPHIDs() {