Via HackerOne. These endpoints have insufficient policy checks.
Details
Details
- Reviewers
btrahan - Commits
- Restricted Diffusion Commit
rPd151c88040d1: Add some missing capability checks for repository mirror edits
Verified endpoints now check policies correctly.
Diff Detail
Diff Detail
- Repository
- rP Phabricator
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
The underlying edit check in the Editor prevents this from being materially bad. An attacker could remove a mirror (annoying), but can't add or edit a mirror (which would have been severe).