archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

OAuthServer - harden things up a bit

Browse Source 
Summary: This is the hardening work mentioned in T887#86529. Also take a documentation pass for accuracy about these changes and formatting. Ref T4593.

Test Plan: unit tests...! generated diviner docs and oauthserver doc looked good

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T4593

Differential Revision: https://secure.phabricator.com/D11298
This commit is contained in:
Bob Trahan
2015-01-09 11:04:18 -08:00
parent 7a6f4ab75a
commit 152072fc97
3 changed files with 45 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/applications/oauthserver/PhabricatorOAuthServer.php
View File

@@ -215,8 +215,8 @@ final class PhabricatorOAuthServer {
/** /**
* If there's a URI specified in an OAuth request, it must be validated in * If there's a URI specified in an OAuth request, it must be validated in
* its own right. Further, it must have the same domain and (at least) the * its own right. Further, it must have the same domain, the same path, the
* same query parameters as the primary URI. * same port, and (at least) the same query parameters as the primary URI.
*/ */
public function validateSecondaryRedirectURI( public function validateSecondaryRedirectURI(
PhutilURI $secondary_uri, PhutilURI $secondary_uri,
@@ -232,6 +232,16 @@ final class PhabricatorOAuthServer {
return false; return false;
} }
// Both URIs must have the same path
if ($secondary_uri->getPath() != $primary_uri->getPath()) {
return false;
}
// Both URIs must have the same port
if ($secondary_uri->getPort() != $primary_uri->getPort()) {
return false;
}
// Any query parameters present in the first URI must be exactly present // Any query parameters present in the first URI must be exactly present
// in the second URI. // in the second URI.
$need_params = $primary_uri->getQueryParams(); $need_params = $primary_uri->getQueryParams();

18
src/applications/oauthserver/__tests__/PhabricatorOAuthServerTestCase.php
View File

@@ -24,11 +24,11 @@ final class PhabricatorOAuthServerTestCase
public function testValidateSecondaryRedirectURI() { public function testValidateSecondaryRedirectURI() {
$server = new PhabricatorOAuthServer(); $server = new PhabricatorOAuthServer();
$primary_uri = new PhutilURI('http://www.google.com'); $primary_uri = new PhutilURI('http://www.google.com/');
static $test_domain_map = array( static $test_domain_map = array(
'http://www.google.com' => true, 'http://www.google.com' => false,
'http://www.google.com/' => true, 'http://www.google.com/' => true,
'http://www.google.com/auth' => true, 'http://www.google.com/auth' => false,
'http://www.google.com/?auth' => true, 'http://www.google.com/?auth' => true,
'www.google.com' => false, 'www.google.com' => false,
'http://www.google.com/auth#invalid' => false, 'http://www.google.com/auth#invalid' => false,
@@ -76,12 +76,12 @@ final class PhabricatorOAuthServerTestCase
$primary_uri = new PhutilURI('http://example.com/?z=2&y=3'); $primary_uri = new PhutilURI('http://example.com/?z=2&y=3');
$tests = array( $tests = array(
'http://example.com?z=2&y=3' => true, 'http://example.com/?z=2&y=3' => true,
'http://example.com?y=3&z=2' => true, 'http://example.com/?y=3&z=2' => true,
'http://example.com?y=3&z=2&x=1' => true, 'http://example.com/?y=3&z=2&x=1' => true,
'http://example.com?y=2&z=3' => false, 'http://example.com/?y=2&z=3' => false,
'http://example.com?y&x' => false, 'http://example.com/?y&x' => false,
'http://example.com?z=2&x=3' => false, 'http://example.com/?z=2&x=3' => false,
); );
foreach ($tests as $input => $expected) { foreach ($tests as $input => $expected) {
$uri = new PhutilURI($input); $uri = new PhutilURI($input);

12
src/docs/contributor/using_oauthserver.diviner
View File

@@ -18,9 +18,9 @@ clients that implement OAuth 2.0.
= Vocabulary = = Vocabulary =
- **Access token** - a token which allows a client to ask for data on - **Access token** - a token which allows a client to ask for data on behalf
behalf of a resource owner. A given client will only be able to access of a resource owner. A given client will only be able to access data included
data included in the scope(s) the resource owner authorized that client for. in the scope(s) the resource owner authorized that client for.
- **Authorization code** - a short-lived code which allows an authenticated - **Authorization code** - a short-lived code which allows an authenticated
client to ask for an access token on behalf of some resource owner. client to ask for an access token on behalf of some resource owner.
- **Client** - this is the application or system asking for data from the - **Client** - this is the application or system asking for data from the
@@ -48,9 +48,9 @@ following parameters:
- Required - **response_type** - the desired type of authorization code - Required - **response_type** - the desired type of authorization code
response. Only code is supported at this time. response. Only code is supported at this time.
- Optional - **redirect_uri** - override the redirect_uri the client - Optional - **redirect_uri** - override the redirect_uri the client
registered. This redirect_uri must have the same fully-qualified domain registered. This redirect_uri must have the same fully-qualified domain,
and have at least the same query parameters as the redirect_uri the client path, port and have at least the same query parameters as the redirect_uri
registered, as well as have no fragments. the client registered, as well as have no fragments.
- Optional - **scope** - specify what scope(s) the client needs access to - Optional - **scope** - specify what scope(s) the client needs access to
in a space-delimited list. in a space-delimited list.
- Optional - **state** - an opaque value the client can send to the server - Optional - **state** - an opaque value the client can send to the server