View Options

	diff --git a/src/infrastructure/javelin/markup.php b/src/infrastructure/javelin/markup.php
	index e5b3ab36b9..a15dc097c7 100644
	--- a/src/infrastructure/javelin/markup.php
	+++ b/src/infrastructure/javelin/markup.php
	@@ -1,96 +1,97 @@
	<?php

	function javelin_tag(
	$tag,
	array $attributes = array(),
	$content = null) {

	if (isset($attributes['sigil']) \|\|
	isset($attributes['meta']) \|\|
	isset($attributes['mustcapture'])) {
	foreach ($attributes as $k => $v) {
	switch ($k) {
	case 'sigil':
	if ($v !== null) {
	$attributes['data-sigil'] = $v;
	}
	unset($attributes[$k]);
	break;
	case 'meta':
	if ($v !== null) {
	$response = CelerityAPI::getStaticResourceResponse();
	$id = $response->addMetadata($v);
	$attributes['data-meta'] = $id;
	}
	unset($attributes[$k]);
	break;
	case 'mustcapture':
	if ($v) {
	$attributes['data-mustcapture'] = '1';
	} else {
	unset($attributes['data-mustcapture']);
	}
	unset($attributes[$k]);
	break;
	}
	}
	}

	return phutil_tag($tag, $attributes, $content);
	}

	function phabricator_form(PhabricatorUser $user, $attributes, $content) {
	$body = array();

	$http_method = idx($attributes, 'method');
	$is_post = (strcasecmp($http_method, 'POST') === 0);

	$http_action = idx($attributes, 'action');
	$is_absolute_uri = preg_match('#^(https?:\|//)#', $http_action);

	if ($is_post) {
	- if ($is_absolute_uri) {
	- $is_dev = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
	- if ($is_dev) {
	- $form_domain = id(new PhutilURI($http_action))
	- ->getDomain();
	- $host_domain = id(new PhutilURI(PhabricatorEnv::getURI('/')))
	- ->getDomain();

	- if (strtolower($form_domain) == strtolower($host_domain)) {
	- throw new Exception(
	- pht(
	- "You are building a <form /> that submits to Phabricator, but ".
	- "has an absolute URI in its 'action' attribute ('%s'). To avoid ".
	- "leaking CSRF tokens, Phabricator does not add CSRF information ".
	- "to forms with absolute URIs. Instead, use a relative URI.",
	- $http_action));
	- }
	- }
	- } else {
	+ // NOTE: We only include CSRF tokens if a URI is a local URI on the same
	+ // domain. This is an important security feature and prevents forms which
	+ // submit to foreign sites from leaking CSRF tokens.
	+
	+ // In some cases, we may construct a fully-qualified local URI. For example,
	+ // we can construct these for download links, depending on configuration.
	+
	+ // These forms do not receive CSRF tokens, even though they safely could.
	+ // This can be confusing, if you're developing for Phabricator and
	+ // manage to construct a local form with a fully-qualified URI, since it
	+ // won't get CSRF tokens and you'll get an exception at the other end of
	+ // the request which is a bit disconnected from the actual root cause.
	+
	+ // However, this is rare, and there are reasonable cases where this
	+ // construction occurs legitimately, and the simplest fix is to omit CSRF
	+ // tokens for these URIs in all cases. The error message you receive also
	+ // gives you some hints as to this potential source of error.
	+
	+ if (!$is_absolute_uri) {
	$body[] = phutil_tag(
	'input',
	array(
	'type' => 'hidden',
	'name' => AphrontRequest::getCSRFTokenName(),
	'value' => $user->getCSRFToken(),
	));

	$body[] = phutil_tag(
	'input',
	array(
	'type' => 'hidden',
	'name' => '__form__',
	'value' => true,
	));
	}
	}

	if (is_array($content)) {
	$body = array_merge($body, $content);
	} else {
	$body[] = $content;
	}

	return javelin_tag('form', $attributes, $body);
	}

File Metadata

Mime Type: text/x-diff
Expires: Thu, Nov 13, 6:14 PM (2 h, 29 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 336448
Default Alt Text: (3 KB)

No OneTemporary
Actions

View Options

File Metadata

Event Timeline

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions