Require CSRF submission to verify email addresses
bcf255e9c96b
Actions

Authored by epriestley <git@epriestley.com> on Feb 26 2014, 20:17.

Description

Require CSRF submission to verify email addresses

Summary: If an attacker somehow intercepts a verification URL for an email address, they can hypothetically CSRF the account owner into verifying it. What you'd do before (how do you get the link?) and after (why do you care that you tricked them into verifying) performing this attack is unclear, but in theory we should require a CSRF submission here; add one.

Test Plan: {F118691}

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8351

Details

Committed

epriestley <git@epriestley.com>

Feb 26 2014, 20:17

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH424ba2e58887: Render inline comments in "Pro" mail

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHbcf255e9c96b: Require CSRF submission to verify email addresses (authored by epriestley <git@epriestley.com>).Feb 26 2014, 20:17

Changes (1)

				Path
	M			src/applications/auth/controller/PhabricatorEmailVerificationController.php

rPHbcf255e9c96b

View Options

src/applications/auth/controller/PhabricatorEmailVerificationController.php