if (!$proxy_record || $proxy_record['login_url'] != $_GET[lu])
{
include($_SERVER[DOCUMENT_ROOT]."/http-errors/403.php");
...
The idea is to *always* return 404 any time invalid input/incorrect secret value is provided to a page outside of an authenticated session. This is to defend against an adversary scanning arbitrary web hosts for Psiphon proxies that respond to HTTP requests with some fingerprint-able response.
Looks ok except this 403 should be 404:
reset_password.php
if (!$proxy_record || $proxy_ record[ 'login_ url'] != $_GET[lu]) $_SERVER[ DOCUMENT_ ROOT]." /http-errors/ 403.php" );
{
include(
...
The idea is to *always* return 404 any time invalid input/incorrect secret value is provided to a page outside of an authenticated session. This is to defend against an adversary scanning arbitrary web hosts for Psiphon proxies that respond to HTTP requests with some fingerprint-able response.