recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Make CSRF salt per-user instead of per-request

Summary:
Fixes T8326. This removes calls to PhabricatorStartup from places that daemons may access.

This salt doesn't need to be global; it's embedded in the token we return. It's fine if we use a different salt every time. In practice, we always use the same viewer, so this change causes little or no behavioral change.

Ref T8424. For Spaces, I need a per-request cache for all spaces, because they have unusual access patterns and require repeated access, in some cases by multiple viewers.

We don't currently have a per-request in-process cache that we, e.g., clear in the daemons.

We do have a weak/theoretical/forward-looking attempt at this in `PhabricatorStartup::getGlobal()` but I'm going to throw that away (it's kind of junky, partly because of T8326) and replace it with a more formal mechanism.

Test Plan:
- Submitted some forms.
- Grepped for `csrf.salt`.
- Viewed page source, saw nice CSRF tokens with salt.
- All the salts are still the same on every page I checked, but it doesn't matter if this isn't true everywhere.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T8326, T8424

Differential Revision: https://secure.phabricator.com/D13151

epriestley e5b92374 b9d004e9

+6 -7
+6 -7
src/applications/people/storage/PhabricatorUser.php
··· 59 59 60 60 private $authorities = array(); 61 61 private $handlePool; 62 + private $csrfSalt; 62 63 63 64 protected function readField($field) { 64 65 switch ($field) { ··· 342 343 self::CSRF_TOKEN_LENGTH); 343 344 } 344 345 345 - /** 346 - * @phutil-external-symbol class PhabricatorStartup 347 - */ 348 346 public function getCSRFToken() { 349 - $salt = PhabricatorStartup::getGlobal('csrf.salt'); 350 - if (!$salt) { 351 - $salt = Filesystem::readRandomCharacters(self::CSRF_SALT_LENGTH); 352 - PhabricatorStartup::setGlobal('csrf.salt', $salt); 347 + if ($this->csrfSalt === null) { 348 + $this->csrfSalt = Filesystem::readRandomCharacters( 349 + self::CSRF_SALT_LENGTH); 353 350 } 351 + 352 + $salt = $this->csrfSalt; 354 353 355 354 // Generate a token hash to mitigate BREACH attacks against SSL. See 356 355 // discussion in T3684.