archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Support "state" parameter in OAuth

Browse Source 
Summary:
Ref T1445. Ref T1536. Although we have separate CSRF protection and have never been vulnerable to OAuth hijacking, properly implementing the "state" parameter provides a little more certainty.

Before OAuth, we set a random value on the client, and pass its hash as the "state" parameter. Upon return, validate that (a) the user has a nonempty "phcid" cookie and (b) the OAuth endpoint passed back the correct state (the hash of that cookie).

Test Plan: Logged in with all OAuth providers, which all apparently support `state`.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, arice

Maniphest Tasks: T1445, T1536

Differential Revision: https://secure.phabricator.com/D6179
This commit is contained in:
epriestley
2013-06-16 10:18:56 -07:00
parent fdbd377625
commit 8c3ef4b73c
4 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/applications/auth/controller/PhabricatorAuthController.php
View File

@@ -39,7 +39,12 @@ abstract class PhabricatorAuthController extends PhabricatorController {
$request->setCookie('phusr', $user->getUsername());
$request->setCookie('phsid', $session_key);
// Clear the registration key.
$request->clearCookie('phreg');
// Clear the client ID / OAuth state key.
$request->clearCookie('phcid');
}
protected function buildLoginValidateResponse(PhabricatorUser $user) {