archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole

Browse Source 
Summary:
Ref T6960. Ref T13217. Ref T13216. Depends on D19811. Use the recently-introduced "%P" conversion ("Password/Secret") to load sessions in SessionEngine.

This secret isn't critical to protect (it's the //hash// of the actual secret and not useful to attackers on its own) but it shows up on every page in DarkConsole and is an obvious case where `%P` is a more appropriate conversion.

Test Plan:
Note "*********" in the middle of the output here, instead of a session key hash:

{F6012805}

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13217, T13216, T6960

Differential Revision: https://secure.phabricator.com/D19812
This commit is contained in:
epriestley
2018-11-15 05:28:46 -08:00
parent b2e91d2205
commit 49483bdb48
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
View File

@@ -127,12 +127,12 @@ final class PhabricatorAuthSessionEngine extends Phobject {
u.* u.*
%Q %Q
FROM %T u JOIN %T s ON u.phid = s.userPHID FROM %T u JOIN %T s ON u.phid = s.userPHID
AND s.type = %s AND s.sessionKey = %s %Q', AND s.type = %s AND s.sessionKey = %P %Q',
$cache_selects, $cache_selects,
$user_table->getTableName(), $user_table->getTableName(),
$session_table->getTableName(), $session_table->getTableName(),
$session_type, $session_type,
$session_key, new PhutilOpaqueEnvelope($session_key),
$cache_joins); $cache_joins);
if (!$info) { if (!$info) {