Page MenuHomestyx hydra
Files F1989699

No OneTemporary
Actions

View Options

diff --git a/src/infrastructure/javelin/markup.php b/src/infrastructure/javelin/markup.php
index 5477f5687b..b845b33ae8 100644
--- a/src/infrastructure/javelin/markup.php
+++ b/src/infrastructure/javelin/markup.php
@@ -1,67 +1,92 @@
<?php
function javelin_tag(
$tag,
array $attributes = array(),
$content = null) {
if (isset($attributes['sigil']) ||
isset($attributes['meta']) ||
isset($attributes['mustcapture'])) {
foreach ($attributes as $k => $v) {
switch ($k) {
case 'sigil':
$attributes['data-sigil'] = $v;
unset($attributes[$k]);
break;
case 'meta':
$response = CelerityAPI::getStaticResourceResponse();
$id = $response->addMetadata($v);
$attributes['data-meta'] = $id;
unset($attributes[$k]);
break;
case 'mustcapture':
if ($v) {
$attributes['data-mustcapture'] = '1';
} else {
unset($attributes['data-mustcapture']);
}
unset($attributes[$k]);
break;
}
}
}
return phutil_tag($tag, $attributes, $content);
}
function phabricator_form(PhabricatorUser $user, $attributes, $content) {
$body = array();
- if (strcasecmp(idx($attributes, 'method'), 'POST') == 0 &&
- !preg_match('#^(https?:|//)#', idx($attributes, 'action'))) {
- $body[] = phutil_tag(
- 'input',
- array(
- 'type' => 'hidden',
- 'name' => AphrontRequest::getCSRFTokenName(),
- 'value' => $user->getCSRFToken(),
- ));
+ $http_method = idx($attributes, 'method');
+ $is_post = (strcasecmp($http_method, 'POST') === 0);
- $body[] = phutil_tag(
- 'input',
- array(
- 'type' => 'hidden',
- 'name' => '__form__',
- 'value' => true,
- ));
+ $http_action = idx($attributes, 'action');
+ $is_absolute_uri = preg_match('#^(https?:|//)#', $http_action);
+
+ if ($is_post) {
+ if ($is_absolute_uri) {
+ $is_dev = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
+ if ($is_dev) {
+ $form_domain = id(new PhutilURI($http_action))
+ ->getDomain();
+ $host_domain = id(new PhutilURI(PhabricatorEnv::getURI('/')))
+ ->getDomain();
+
+ if (strtolower($form_domain) == strtolower($host_domain)) {
+ throw new Exception(
+ pht(
+ "You are building a <form /> that submits to Phabricator, but ".
+ "has an absolute URI in its 'action' attribute ('%s'). To avoid ".
+ "leaking CSRF tokens, Phabricator does not add CSRF information ".
+ "to forms with absolute URIs. Instead, use a relative URI.",
+ $http_action));
+ }
+ }
+ } else {
+ $body[] = phutil_tag(
+ 'input',
+ array(
+ 'type' => 'hidden',
+ 'name' => AphrontRequest::getCSRFTokenName(),
+ 'value' => $user->getCSRFToken(),
+ ));
+
+ $body[] = phutil_tag(
+ 'input',
+ array(
+ 'type' => 'hidden',
+ 'name' => '__form__',
+ 'value' => true,
+ ));
+ }
}
if (is_array($content)) {
$body = array_merge($body, $content);
} else {
$body[] = $content;
}
return javelin_tag('form', $attributes, $body);
}

File Metadata

Mime Type
text/x-diff
Expires
Mon, Dec 1, 3:18 AM (1 d, 2 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
430174
Default Alt Text
(3 KB)

Event Timeline

styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)