Paths

Table of Contentst

Differential D11764

Lock all reply-handler options in the upstream, plus cookie prefix
ClosedPublic
Actions

Authored by epriestley on Feb 13 2015, 3:53 PM.

Tags

None

Referenced Files

	F13224643: D11764.diff
	Sun, May 19, 9:48 AM

	Unknown Object (File)
	Sat, Apr 27, 3:35 PM

	Unknown Object (File)
	Apr 16 2024, 10:54 AM

	Unknown Object (File)
	Apr 7 2024, 3:23 AM

	Unknown Object (File)
	Apr 3 2024, 5:43 AM

	Unknown Object (File)
	Apr 1 2024, 1:23 PM

	Unknown Object (File)
	Feb 7 2024, 8:52 AM

	Unknown Object (File)
	Feb 7 2024, 8:52 AM

Subscribers

Details

Reviewers

Maniphest Tasks

T7185: Review all configuration and lock anything that has paths or magic in it

Commits

Restricted Diffusion Commit
rPe5b402d13f76: Lock all reply-handler options in the upstream, plus cookie prefix

Summary

Ref T7185. These settings shouldn't be unlocked anywhere. Specifically:

reply-handler: These are on the way out.
reply-handler-domain: Also hopefully on the way out; locked because a compromised administrator account can redirect replies.
phabricator.cookie-prefix: Not dangerous per se, but an admin could have a hard time fixing this if they changed it by accident since their session would become invalid immediately.

Test Plan

Browsed Config.

Diff Detail

Repository

Branch

config2

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 4493
Build 4507: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 28363.Feb 13 2015, 3:53 PM

epriestley retitled this revision from to Lock all reply-handler options in the upstream, plus cookie prefix.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: btrahan.

epriestley added a task: T7185: Review all configuration and lock anything that has paths or magic in it.

Herald added a subscriber: epriestley. · View Herald TranscriptFeb 13 2015, 3:53 PM

btrahan accepted this revision.Feb 13 2015, 5:47 PM

btrahan edited edge metadata.

This revision is now accepted and ready to land.Feb 13 2015, 5:47 PM

Closed by commit rPe5b402d13f76: Lock all reply-handler options in the upstream, plus cookie prefix (authored by epriestley, committed by epriestley). · Explain WhyFeb 13 2015, 7:00 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

config/

option/

PhabricatorCoreConfigOptions.php

3 lines

PhabricatorMetaMTAConfigOptions.php

1 line

differential/

config/

PhabricatorDifferentialConfigOptions.php

2 lines

diffusion/

config/

PhabricatorDiffusionConfigOptions.php

2 lines

macro/

config/

PhabricatorMacroConfigOptions.php

1 line

maniphest/

config/

PhabricatorManiphestConfigOptions.php

2 lines

owners/

config/

PhabricatorOwnersConfigOptions.php

1 line

pholio/

config/

PhabricatorPholioConfigOptions.php

1 line

Diff 28363

src/applications/config/option/PhabricatorCoreConfigOptions.php

Loading...

src/applications/config/option/PhabricatorMetaMTAConfigOptions.php

Loading...

src/applications/differential/config/PhabricatorDifferentialConfigOptions.php

Loading...

src/applications/diffusion/config/PhabricatorDiffusionConfigOptions.php

Loading...

src/applications/macro/config/PhabricatorMacroConfigOptions.php

Loading...

src/applications/maniphest/config/PhabricatorManiphestConfigOptions.php

Loading...

src/applications/owners/config/PhabricatorOwnersConfigOptions.php

Loading...

src/applications/pholio/config/PhabricatorPholioConfigOptions.php

Loading...