Page MenuHomePhabricator
Differential D11046

Lock feed.public and feed.http-hooks config options
ClosedPublic
Actions

Authored by epriestley on Dec 28 2014, 4:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 11, 8:39 AM
Unknown Object (File)
Wed, Apr 10, 4:34 PM
Unknown Object (File)
Mar 13 2024, 4:57 AM
Unknown Object (File)
Feb 28 2024, 10:06 AM
Unknown Object (File)
Feb 28 2024, 9:57 AM
Unknown Object (File)
Feb 28 2024, 9:57 AM
Unknown Object (File)
Feb 28 2024, 9:55 AM
Unknown Object (File)
Feb 3 2024, 4:15 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
chad
Maniphest Tasks
T6817: Token given feed entry's target link is not struck through and greyed out when the target is closed
T5726: Add more information to story POSTs during the feed.http-hooks hook
Commits
Restricted Diffusion Commit
rP9dd0eca335d5: Lock feed.public and feed.http-hooks config options
Summary

Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove feed.public completely (possibly providing API alternatives, if necessary).

Test Plan

Looked at options in web UI and saw them locked.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 26527.Dec 28 2014, 4:29 PM
epriestley retitled this revision from to Lock feed.public and feed.http-hooks config options.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added reviewers: chad, btrahan.
epriestley added tasks: T5726: Add more information to story POSTs during the feed.http-hooks hook, T6817: Token given feed entry's target link is not struck through and greyed out when the target is closed.
Herald added a subscriber: epriestley. · View Herald TranscriptDec 28 2014, 4:29 PM
chad accepted this revision.Dec 29 2014, 3:03 AM
chad edited edge metadata.
This revision is now accepted and ready to land.Dec 29 2014, 3:03 AM
Closed by commit rP9dd0eca335d5: Lock feed.public and feed.http-hooks config options (authored by epriestley, committed by epriestley). · Explain WhyDec 29 2014, 4:04 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
feed/
config/
2 lines

Diff 26533

View Options

src/applications/feed/config/PhabricatorFeedConfigOptions.php

Loading...
Phabricator · Built by Phacility