Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Summary: Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine. This secret isn't critical to protect (it's the //hash// of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where `%P` is a more appropriate conversion. Test Plan: Note "*********" in the middle of the output here, instead of a session key hash: {F6012805} Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13217, T13216, T6960 Differential Revision: https://secure.phabricator.com/D19812
2018-11-15 05:28:46 -08:00
parent b2e91d2205
commit 49483bdb48
1 changed files with 2 additions and 2 deletions
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@@ -127,12 +127,12 @@ final class PhabricatorAuthSessionEngine extends Phobject {
          u.*
          %Q
        FROM %T u JOIN %T s ON u.phid = s.userPHID
-        AND s.type = %s AND s.sessionKey = %s %Q',
+        AND s.type = %s AND s.sessionKey = %P %Q',
      $cache_selects,
      $user_table->getTableName(),
      $session_table->getTableName(),
      $session_type,
-      $session_key,
+      new PhutilOpaqueEnvelope($session_key),
      $cache_joins);

    if (!$info) {