Page MenuHomePhabricator

Lock `phabricator.show-prototypes`
ClosedPublic

Authored by epriestley on Dec 15 2014, 6:59 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 19, 1:27 PM
Unknown Object (File)
Thu, Dec 19, 1:26 PM
Unknown Object (File)
Thu, Dec 19, 1:26 PM
Unknown Object (File)
Tue, Dec 10, 2:14 AM
Unknown Object (File)
Tue, Dec 3, 8:31 AM
Unknown Object (File)
Sun, Nov 24, 2:38 PM
Unknown Object (File)
Sat, Nov 23, 2:54 AM
Unknown Object (File)
Nov 6 2024, 5:16 AM
Subscribers

Details

Reviewers
btrahan
Commits
Restricted Diffusion Commit
rP2c7be52fc23e: Lock `phabricator.show-prototypes`
Summary

Two goals:

  • If an attacker compromises an administrator account (without compromising the host itself), they can currently take advantage of vulnerabilities in prototype applications by enabling the applications, then exploiting the vulnerability. Locking this option requires CLI access to enable prototypes, so installs which do not have prototypes enabled have no exposure to security issues in prototype applications.
  • Making this very slightly harder to enable is probably a good thing, given the state of the world and support.
Test Plan

Verified that web UI shows the value is locked and instructs the user to update via the CLI.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Lock `phabricator.show-prototypes`.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
This revision is now accepted and ready to land.Dec 15 2014, 6:59 PM
This revision was automatically updated to reflect the committed changes.