Page MenuHomePhabricator
Differential D11046

Lock feed.public and feed.http-hooks config options
ClosedPublic
Actions

Authored by epriestley on Dec 28 2014, 4:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 18, 1:59 AM
Unknown Object (File)
Nov 29 2024, 12:23 AM
Unknown Object (File)
Nov 26 2024, 9:52 PM
Unknown Object (File)
Nov 24 2024, 2:55 AM
Unknown Object (File)
Nov 21 2024, 9:01 PM
Unknown Object (File)
Nov 20 2024, 4:14 PM
Unknown Object (File)
Nov 18 2024, 11:25 AM
Unknown Object (File)
Nov 14 2024, 10:45 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
chad
Maniphest Tasks
T6817: Token given feed entry's target link is not struck through and greyed out when the target is closed
T5726: Add more information to story POSTs during the feed.http-hooks hook
Commits
Restricted Diffusion Commit
rP9dd0eca335d5: Lock feed.public and feed.http-hooks config options
Summary

Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove feed.public completely (possibly providing API alternatives, if necessary).

Test Plan

Looked at options in web UI and saw them locked.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 26527.Dec 28 2014, 4:29 PM
epriestley retitled this revision from to Lock feed.public and feed.http-hooks config options.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added reviewers: chad, btrahan.
epriestley added tasks: T5726: Add more information to story POSTs during the feed.http-hooks hook, T6817: Token given feed entry's target link is not struck through and greyed out when the target is closed.
Herald added a subscriber: epriestley. · View Herald TranscriptDec 28 2014, 4:29 PM
chad accepted this revision.Dec 29 2014, 3:03 AM
chad edited edge metadata.
This revision is now accepted and ready to land.Dec 29 2014, 3:03 AM
Closed by commit rP9dd0eca335d5: Lock feed.public and feed.http-hooks config options (authored by epriestley, committed by epriestley). · Explain WhyDec 29 2014, 4:04 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
feed/
config/
2 lines

Diff 26533

View Options

src/applications/feed/config/PhabricatorFeedConfigOptions.php

Loading...
Phabricator · Built by Phacility