Page MenuHomePhabricator

Added a setup check for empty REMOTE_ADDR
ClosedPublic

Authored by jcox on Aug 25 2016, 4:32 PM.
Tags
None
Referenced Files
F18748449: D16450.diff
Fri, Oct 3, 10:39 PM
F18674128: D16450.id39568.diff
Thu, Sep 25, 1:21 PM
F18640974: D16450.diff
Thu, Sep 18, 7:26 PM
F18605812: D16450.id39566.diff
Sat, Sep 13, 9:21 PM
F18596443: D16450.id39567.diff
Sat, Sep 13, 12:41 AM
F18467534: D16450.id.diff
Sep 2 2025, 1:00 PM
F18460628: D16450.diff
Sep 1 2025, 7:18 PM
F18417499: D16450.diff
Aug 30 2025, 11:54 AM

Details

Summary

Fixes T8850. Previously, if a user's preamble script mangled $_SERVER['REMOTE_ADDR'] or somehow set it to null, the user would get errors when performing certain actions. Now those errors shouldn't occur, and instead the user will be warned that there is a setup issue related to their preamble script.

Test Plan

Create a preamble script that contains $_SERVER['REMOTE_ADDR'] = null; then navigate to /config/issue/. There should be a warning there about REMOTE_ADDR not being available.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jcox retitled this revision from to Added a setup check for empty REMOTE_ADDR.
jcox updated this object.
jcox edited the test plan for this revision. (Show Details)
epriestley added a reviewer: epriestley.
epriestley added inline comments.
src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
212–221

This sort of fragment ("%s and double-check") may be difficult to translate into other languages, since they may want to change word order or need to adjust articles depending on noun gender.

A rephrasing that uses fewer fragments, maybe like this one, may be easier to translate in a natural-sounding way:

Consult the documentation (%s) and double-check....

Where the replacement is just a link titled "Configuring a Preamble Script".

(This is maybe-possibly slightly better for assistive technology / screenreader stuff too, since it makes "read all links on this page" more meaningful, although probably not too substantively.)

219

Just omit 'rel' -- we automatically manage it (currently, by adding 'noreferrer' to non-local links) and specifying it will override whatever behavior we're implementing.

(It's possible that we should change the behavior, e.g., to include noopener, although the use-window.opener-to-do-phishing-stuff attack doesn't currently seem hugely concerning to me. If you want to make an argument for changing the defaults, feel free to file a task.)

This revision is now accepted and ready to land.Aug 25 2016, 4:51 PM
jcox edited edge metadata.
  • Updated paragraph to be more translatable
jcox marked 2 inline comments as done.Aug 25 2016, 4:57 PM
This revision was automatically updated to reflect the committed changes.