1f4cf23455d72df025bcd93ea8aa94d0a0d77b36

Summary: Ref T12509. - Remove the "phabricator.csrf-key" configuration option in favor of automatically generating an HMAC key. - Upgrade two hasher callsites (one in CSRF itself, one in providing a CSRF secret for logged-out users) to SHA256. - Extract the CSRF logic from `PhabricatorUser` to a standalone engine. I was originally going to do this as two changes (extract logic, then upgrade hashes) but the logic had a couple of very silly pieces to it that made faithful extraction a little silly. For example, it computed `time_block = (epoch + (offset * cycle_frequency)) / cycle_frequency` instead of `time_block = (epoch / cycle_frequency) + offset`. These are equivalent but the former was kind of silly. It also computed `substr(hmac(substr(hmac(secret)).salt))` instead of `substr(hmac(secret.salt))`. These have the same overall effect but the former is, again, kind of silly (and a little bit materially worse, in this case). This will cause a one-time compatibility break: pages loaded before the upgrade won't be able to submit contained forms after the upgrade, unless they're open for long enough for the Javascript to refresh the CSRF token (an hour, I think?). I'll note this in the changelog. Test Plan: - As a logged-in user, submitted forms normally (worked). - As a logged-in user, submitted forms with a bad CSRF value (error, as expected). - As a logged-out user, hit the success and error cases. - Visually inspected tokens for correct format. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T12509 Differential Revision: https://secure.phabricator.com/D19946
Phabricator is a collection of web applications which help software companies build better software.
Phabricator includes applications for:
- reviewing and auditing source code;
- hosting and browsing repositories;
- tracking bugs;
- managing projects;
- conversing with team members;
- assembling a party to venture forth;
- writing stuff down and reading it later;
- hiding stuff from coworkers; and
- also some other things.
You can learn more about the project (and find links to documentation and resources) at Phabricator.org
Phabricator is developed and maintained by Phacility.
SUPPORT RESOURCES
For resources on filing bugs, requesting features, reporting security issues, and getting other kinds of support, see Support Resources.
NO PULL REQUESTS!
We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide.
LICENSE
Phabricator is released under the Apache 2.0 license except as otherwise noted.
Description
Languages
PHP
93.4%
JavaScript
4.1%
CSS
2.4%