Homec4science

Require a CSRF code for Twitter and JIRA (OAuth 1) logins

Authored by epriestley <git@epriestley.com> on Feb 24 2014, 01:39.

Description

Require a CSRF code for Twitter and JIRA (OAuth 1) logins

Summary:
OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan:

  • Logged in with JIRA.
  • Logged in with Twitter.
  • Logged in with Facebook (an OAuth2 provider).
  • Linked a Twitter account.
  • Linked a Facebook account.
  • Jiggered codes in URIs and verified that I got the exceptions I expected.

Reviewers: btrahan, arice

Reviewed By: arice

CC: arice, chad, aran

Differential Revision: https://secure.phabricator.com/D8318

Details

Committed
epriestley <git@epriestley.com>Feb 24 2014, 01:39
Pushed
aubortJan 31 2017, 17:16
Parents
rPH438915032ae3: Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHa566ae373015: Require a CSRF code for Twitter and JIRA (OAuth 1) logins (authored by epriestley <git@epriestley.com>).Feb 24 2014, 01:39