3aa17c74436e
Actions

Authored by epriestley <git@epriestley.com> on Aug 2 2011, 05:23.

Description

Prevent CSRF uploads via /file/dropupload/

Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.

In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.

Test Plan:

Drop-uploaded files to Files, Maniphest, Phriction and Differential.
Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form

submissions don't work.

Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758

Details

Committed

epriestley <git@epriestley.com>

Aug 16 2011, 22:19

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH735847865c24: Improve error messages when hitting PHP file upload issues

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH3aa17c74436e: Prevent CSRF uploads via /file/dropupload/ (authored by epriestley <git@epriestley.com>).Aug 16 2011, 22:19

Changes (10)

				Path
	M			src/__celerity_resource_map__.php
	M			src/aphront/request/AphrontRequest.php
	M			src/applications/files/controller/dropupload/PhabricatorFileDropUploadController.php
	M			src/infrastructure/javelin/markup/__init__.php
	M			src/infrastructure/javelin/markup/markup.php
	M			src/view/form/base/AphrontFormView.php
	M			src/view/form/base/__init__.php
	M			src/view/page/standard/PhabricatorStandardPageView.php
	M			src/view/page/standard/__init__.php
	M			webroot/rsrc/js/application/core/behavior-refresh-csrf.js