@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Require CSRF submission to verify email addresses
Summary: If an attacker somehow intercepts a verification URL for an email address, they can hypothetically CSRF the account owner into verifying it. What you'd do before (how do you get the link?) and after (why do you care that you tricked them into verifying) performing this attack is unclear, but in theory we should require a CSRF submission here; add one.
Test Plan: {F118691}
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Differential Revision: https://secure.phabricator.com/D8351
+25
-15
+25
-15
src/applications/auth/controller/PhabricatorEmailVerificationController.php
+25
-15
src/applications/auth/controller/PhabricatorEmailVerificationController.php
···
36
36
$user->getPHID(),
37
37
$this->code);
38
38
39
+
$submit = null;
40
+
39
41
if (!$email) {
40
42
$title = pht('Unable to Verify Email');
41
43
$content = pht(
···
49
51
$content = pht(
50
52
'This email address has already been verified.');
51
53
$continue = pht('Continue to Phabricator');
52
-
} else {
53
-
$guard = AphrontWriteGuard::beginScopedUnguardedWrites();
54
-
$email->openTransaction();
54
+
} else if ($request->isFormPost()) {
55
+
$email->openTransaction();
55
56
56
-
$email->setIsVerified(1);
57
-
$email->save();
57
+
$email->setIsVerified(1);
58
+
$email->save();
58
59
59
-
// If the user just verified their primary email address, mark their
60
-
// account as email verified.
61
-
$user_primary = $user->loadPrimaryEmail();
62
-
if ($user_primary->getID() == $email->getID()) {
63
-
$user->setIsEmailVerified(1);
64
-
$user->save();
65
-
}
60
+
// If the user just verified their primary email address, mark their
61
+
// account as email verified.
62
+
$user_primary = $user->loadPrimaryEmail();
63
+
if ($user_primary->getID() == $email->getID()) {
64
+
$user->setIsEmailVerified(1);
65
+
$user->save();
66
+
}
66
67
67
-
$email->saveTransaction();
68
-
unset($guard);
68
+
$email->saveTransaction();
69
69
70
70
$title = pht('Address Verified');
71
71
$content = pht(
72
72
'The email address %s is now verified.',
73
73
phutil_tag('strong', array(), $email->getAddress()));
74
74
$continue = pht('Continue to Phabricator');
75
+
} else {
76
+
$title = pht('Verify Email Address');
77
+
$content = pht(
78
+
'Verify this email address (%s) and attach it to your account?',
79
+
phutil_tag('strong', array(), $email->getAddress()));
80
+
$continue = pht('Cancel');
81
+
$submit = pht('Verify %s', $email->getAddress());
75
82
}
76
83
77
84
$dialog = id(new AphrontDialogView())
78
85
->setUser($user)
79
86
->setTitle($title)
80
-
->setMethod('GET')
81
87
->addCancelButton('/', $continue)
82
88
->appendChild($content);
89
+
90
+
if ($submit) {
91
+
$dialog->addSubmitButton($submit);
92
+
}
83
93
84
94
$crumbs = $this->buildApplicationCrumbs();
85
95
$crumbs->addTextCrumb(pht('Verify Email'));