No OneTemporary
Actions

Size

8 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/auth/constants/PhabricatorCookies.php b/src/applications/auth/constants/PhabricatorCookies.php
	index 9675d21d42..9dc9d823b2 100644
	--- a/src/applications/auth/constants/PhabricatorCookies.php
	+++ b/src/applications/auth/constants/PhabricatorCookies.php
	@@ -1,179 +1,179 @@
	<?php

	/**
	* Consolidates Phabricator application cookies, including registration
	* and session management.
	*
	* @task clientid Client ID Cookie
	* @task next Next URI Cookie
	*/
	final class PhabricatorCookies extends Phobject {

	/**
	* Stores the login username for password authentication. This is just a
	* display value for convenience, used to prefill the login form. It is not
	* authoritative.
	*/
	const COOKIE_USERNAME = 'phusr';


	/**
	* Stores the user's current session ID. This is authoritative and establishes
	* the user's identity.
	*/
	const COOKIE_SESSION = 'phsid';


	/**
	* Stores a secret used during new account registration to prevent an attacker
	* from tricking a victim into registering an account which is linked to
	* credentials the attacker controls.
	*/
	const COOKIE_REGISTRATION = 'phreg';


	/**
	* Stores a secret used during OAuth2 handshakes to prevent various attacks
	* where an attacker hands a victim a URI corresponding to the middle of an
	* OAuth2 workflow and we might otherwise do something sketchy. Particularly,
	* this corresponds to the OAuth2 "code".
	*/
	const COOKIE_CLIENTID = 'phcid';


	/**
	* Stores the URI to redirect the user to after login. This allows users to
	* visit a path like `/feed/`, be prompted to login, and then be redirected
	* back to `/feed/` after the workflow completes.
	*/
	const COOKIE_NEXTURI = 'next_uri';


	/**
	* Stores a hint that the user should be moved directly into high security
	* after upgrading a partial login session. This is used during password
	* recovery to avoid a double-prompt.
	*/
	const COOKIE_HISEC = 'jump_to_hisec';


	/**
	* Stores an invite code.
	*/
	const COOKIE_INVITE = 'invite';


	/**
	* Stores a workflow completion across a redirect-after-POST following a
	* form submission. This can be used to show "Changes Saved" messages.
	*/
	const COOKIE_SUBMIT = 'phfrm';


	/* -( Client ID Cookie )--------------------------------------------------- */


	/**
	* Set the client ID cookie. This is a random cookie used like a CSRF value
	* during authentication workflows.
	*
	* @param AphrontRequest Request to modify.
	* @return void
	* @task clientid
	*/
	public static function setClientIDCookie(AphrontRequest $request) {

	// NOTE: See T3471 for some discussion. Some browsers and browser extensions
	// can make duplicate requests, so we overwrite this cookie only if it is
	// not present in the request. The cookie lifetime is limited by making it
	// temporary and clearing it when users log out.

	$value = $request->getCookie(self::COOKIE_CLIENTID);
	if (!phutil_nonempty_string($value)) {
	$request->setTemporaryCookie(
	self::COOKIE_CLIENTID,
	Filesystem::readRandomCharacters(16));
	}
	}


	/* -( Next URI Cookie )---------------------------------------------------- */


	/**
	* Set the Next URI cookie. We only write the cookie if it wasn't recently
	* written, to avoid writing over a real URI with a bunch of "humans.txt"
	* stuff. See T3793 for discussion.
	*
	* @param AphrontRequest Request to write to.
	* @param string URI to write.
	* @param bool Write this cookie even if we have a fresh
	* cookie already.
	* @return void
	*
	* @task next
	*/
	public static function setNextURICookie(
	AphrontRequest $request,
	$next_uri,
	$force = false) {

	if (!$force) {
	$cookie_value = $request->getCookie(self::COOKIE_NEXTURI);
	list($set_at, $current_uri) = self::parseNextURICookie($cookie_value);

	// If the cookie was set within the last 2 minutes, don't overwrite it.
	// Primarily, this prevents browser requests for resources which do not
	// exist (like "humans.txt" and various icons) from overwriting a normal
	// URI like "/feed/".
	if ($set_at > (time() - 120)) {
	return;
	}
	}

	$new_value = time().','.$next_uri;
	$request->setTemporaryCookie(self::COOKIE_NEXTURI, $new_value);
	}


	/**
	* Read the URI out of the Next URI cookie.
	*
	* @param AphrontRequest Request to examine.
	* @return string\|null Next URI cookie's URI value.
	*
	* @task next
	*/
	public static function getNextURICookie(AphrontRequest $request) {
	$cookie_value = $request->getCookie(self::COOKIE_NEXTURI);
	list($set_at, $next_uri) = self::parseNextURICookie($cookie_value);

	return $next_uri;
	}


	/**
	* Parse a Next URI cookie into its components.
	*
	* @param string Raw cookie value.
	* @return list<string> List of timestamp and URI.
	*
	* @task next
	*/
	private static function parseNextURICookie($cookie) {
	// Old cookies look like: /uri
	// New cookies look like: timestamp,/uri

	- if (!strlen($cookie)) {
	+ if (!phutil_nonempty_string($cookie)) {
	return null;
	}

	if (strpos($cookie, ',') !== false) {
	list($timestamp, $uri) = explode(',', $cookie, 2);
	return array((int)$timestamp, $uri);
	}

	return array(0, $cookie);
	}

	}
	diff --git a/src/applications/people/cache/PhabricatorUserProfileImageCacheType.php b/src/applications/people/cache/PhabricatorUserProfileImageCacheType.php
	index 8babff859f..195d880fff 100644
	--- a/src/applications/people/cache/PhabricatorUserProfileImageCacheType.php
	+++ b/src/applications/people/cache/PhabricatorUserProfileImageCacheType.php
	@@ -1,109 +1,112 @@
	<?php

	final class PhabricatorUserProfileImageCacheType
	extends PhabricatorUserCacheType {

	const CACHETYPE = 'user.profile';

	const KEY_URI = 'user.profile.image.uri.v1';

	public function getAutoloadKeys() {
	return array(
	self::KEY_URI,
	);
	}

	public function canManageKey($key) {
	return ($key === self::KEY_URI);
	}

	public function getDefaultValue() {
	return PhabricatorUser::getDefaultProfileImageURI();
	}

	public function newValueForUsers($key, array $users) {
	$viewer = $this->getViewer();

	$file_phids = array();
	$generate_users = array();
	foreach ($users as $user) {
	$user_phid = $user->getPHID();
	$custom_phid = $user->getProfileImagePHID();
	$default_phid = $user->getDefaultProfileImagePHID();
	$version = $user->getDefaultProfileImageVersion();

	if ($custom_phid) {
	$file_phids[$user_phid] = $custom_phid;
	continue;
	}
	if ($default_phid) {
	if ($version == PhabricatorFilesComposeAvatarBuiltinFile::VERSION) {
	$file_phids[$user_phid] = $default_phid;
	continue;
	}
	}
	$generate_users[] = $user;
	}

	$generator = new PhabricatorFilesComposeAvatarBuiltinFile();
	foreach ($generate_users as $user) {
	$file = $generator->updateUser($user);
	$file_phids[$user->getPHID()] = $file->getPHID();
	}

	if ($file_phids) {
	$files = id(new PhabricatorFileQuery())
	->setViewer($viewer)
	->withPHIDs($file_phids)
	->execute();
	$files = mpull($files, null, 'getPHID');
	} else {
	$files = array();
	}

	$results = array();
	foreach ($users as $user) {
	$image_phid = $user->getProfileImagePHID();
	$default_phid = $user->getDefaultProfileImagePHID();
	if (isset($files[$image_phid])) {
	$image_uri = $files[$image_phid]->getBestURI();
	} else if (isset($files[$default_phid])) {
	$image_uri = $files[$default_phid]->getBestURI();
	} else {
	$image_uri = PhabricatorUser::getDefaultProfileImageURI();
	}

	$user_phid = $user->getPHID();
	$version = $this->getCacheVersion($user);
	$results[$user_phid] = "{$version},{$image_uri}";
	}

	return $results;
	}

	public function getValueFromStorage($value) {
	$parts = explode(',', $value, 2);
	return end($parts);
	}

	public function shouldValidateRawCacheData() {
	return true;
	}

	public function isRawCacheDataValid(PhabricatorUser $user, $key, $data) {
	+ if ($data === null) {
	+ return false;
	+ }
	$parts = explode(',', $data, 2);
	$version = reset($parts);
	return ($version === $this->getCacheVersion($user));
	}

	private function getCacheVersion(PhabricatorUser $user) {
	$parts = array(
	PhabricatorEnv::getCDNURI('/'),
	PhabricatorEnv::getEnvConfig('cluster.instance'),
	$user->getProfileImagePHID(),
	);
	$parts = serialize($parts);
	return PhabricatorHash::digestForIndex($parts);
	}

	}

File Metadata

Mime Type: text/x-diff
Expires: Thu, May 1, 5:31 AM (1 d, 14 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 108879
Default Alt Text: (8 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions