Fix incorrect key handling in extended policy filtering
f59ebf4c0959
Actions

Authored by epriestley <git@epriestley.com> on Jan 11 2016, 13:32.

Description

Fix incorrect key handling in extended policy filtering

Summary:
Via HackerOne. The use of $key here should be $extended_key.

Exploiting this requires a very unusual group of objects to be subjected to extended policy checks. I believe there is no way to actually get anything bad through the policy filter today, but this could have been an issue in the future.

Test Plan:

Added a unit test which snuck something through the policy filter.
Fixed use of $extended_key.
Test now passes.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D14993

Details

Committed

epriestley <git@epriestley.com>

Jan 11 2016, 16:04

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH0b3d10c3da91: Enforce sensible, unique clone/checkout names for repositories

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHf59ebf4c0959: Fix incorrect key handling in extended policy filtering (authored by epriestley <git@epriestley.com>).Jan 11 2016, 16:04

Changes (2)

				Path
	M			src/applications/policy/__tests__/PhabricatorPolicyTestCase.php
	M			src/applications/policy/filter/PhabricatorPolicyFilter.php

Fix incorrect key handling in extended policy filteringf59ebf4c0959Actions

Description

Details

Event Timeline

Changes (2)

rPHf59ebf4c0959

src/applications/policy/__tests__/PhabricatorPolicyTestCase.php

src/applications/policy/filter/PhabricatorPolicyFilter.php

Fix incorrect key handling in extended policy filtering
f59ebf4c0959
Actions

src/applications/policy/tests/PhabricatorPolicyTestCase.php