Homec4science
Diffusion Phabricator d3e700ce1931

Further mitigate BREACH by reducing reflectiveness
d3e700ce1931
Actions

Authored by epriestley <git@epriestley.com> on Aug 8 2013, 01:09.

Description

Further mitigate BREACH by reducing reflectiveness

Summary:
Ref T3684. The URI itself is reflected in a few places. It is generally not dangerous because we only let you add random stuff to the end of it for one or two controllers (e.g., the file download controller lets you add "/whatever.jpg"), but:

  • Remove it entirely in the main request, since it serves no purpose.
  • Remove query parameters in Ajax requests. These are available in DarkConsole proper.

Also mask a few things in the "Request" tab; I've never used these fields when debugging or during support, and they leak quasi-sensitive information that could get screenshotted or over-the-shoulder'd.

I didn't mitgate __metablock__ because I think the threat is so close to 0 that it's not worthwhile.

Test Plan: Used Darkconsole, examined Requests tab.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3684

Differential Revision: https://secure.phabricator.com/D6699

Details

Committed
epriestley <git@epriestley.com>Aug 8 2013, 01:09
Pushed
aubortJan 31 2017, 17:16
Parents
rPH7298589c86ec: Proof of concept mitigation of BREACH
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHd3e700ce1931: Further mitigate BREACH by reducing reflectiveness (authored by epriestley <git@epriestley.com>).Aug 8 2013, 01:09

Changes (3)

Path
Msrc/aphront/console/plugin/DarkConsoleRequestPlugin.php
Msrc/aphront/response/AphrontAjaxResponse.php
Msrc/view/page/PhabricatorStandardPageView.php

rPHd3e700ce1931

View Options

src/aphront/console/plugin/DarkConsoleRequestPlugin.php

Loading...
View Options

src/aphront/response/AphrontAjaxResponse.php

Loading...
View Options

src/view/page/PhabricatorStandardPageView.php

Loading...
c4science ยท Help