archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Support "state" parameter in OAuth

Browse Source 
Summary:
Ref T1445. Ref T1536. Although we have separate CSRF protection and have never been vulnerable to OAuth hijacking, properly implementing the "state" parameter provides a little more certainty.

Before OAuth, we set a random value on the client, and pass its hash as the "state" parameter. Upon return, validate that (a) the user has a nonempty "phcid" cookie and (b) the OAuth endpoint passed back the correct state (the hash of that cookie).

Test Plan: Logged in with all OAuth providers, which all apparently support `state`.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, arice

Maniphest Tasks: T1445, T1536

Differential Revision: https://secure.phabricator.com/D6179
This commit is contained in:
epriestley
2013-06-16 10:18:56 -07:00
parent fdbd377625
commit 8c3ef4b73c
4 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/applications/auth/controller/PhabricatorAuthStartController.php
View File

@@ -62,6 +62,7 @@ final class PhabricatorAuthStartController
if (!$request->isFormPost()) {
$request->setCookie('next_uri', $next_uri);
$request->setCookie('phcid', Filesystem::readRandomCharacters(16));
}
$out = array();