Require a CSRF code for Twitter and JIRA (OAuth 1) logins
a566ae373015
Actions

Authored by epriestley <git@epriestley.com> on Feb 24 2014, 01:39.

Description

Require a CSRF code for Twitter and JIRA (OAuth 1) logins

Summary:
OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

Test Plan:

Logged in with JIRA.
Logged in with Twitter.
Logged in with Facebook (an OAuth2 provider).
Linked a Twitter account.
Linked a Facebook account.
Jiggered codes in URIs and verified that I got the exceptions I expected.

Reviewers: btrahan, arice

Reviewed By: arice

CC: arice, chad, aran

Differential Revision: https://secure.phabricator.com/D8318

Details

Committed

epriestley <git@epriestley.com>

Feb 24 2014, 01:39

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH438915032ae3: Minor, mark SERIALIZATION_PHP fields as BINARY in Lisk

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHa566ae373015: Require a CSRF code for Twitter and JIRA (OAuth 1) logins (authored by epriestley <git@epriestley.com>).Feb 24 2014, 01:39

Changes (5)

				Path
	M			src/applications/auth/application/PhabricatorApplicationAuth.php
	M			src/applications/auth/controller/PhabricatorAuthLoginController.php
	M			src/applications/auth/provider/PhabricatorAuthProvider.php
	M			src/applications/auth/provider/PhabricatorAuthProviderOAuth.php
	M			src/applications/auth/provider/PhabricatorAuthProviderOAuth1.php