Page MenuHomePhabricator
Differential D9881

Security - disable conduit act as user by default
ClosedPublic
Actions

Authored by btrahan on Jul 10 2014, 10:28 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 11, 9:58 AM
Unknown Object (File)
Sat, Apr 6, 2:27 AM
Unknown Object (File)
Fri, Apr 5, 10:00 AM
Unknown Object (File)
Wed, Apr 3, 12:18 AM
Unknown Object (File)
Sun, Mar 31, 6:36 AM
Unknown Object (File)
Sat, Mar 30, 3:13 PM
Unknown Object (File)
Sat, Mar 30, 3:13 PM
Unknown Object (File)
Mar 13 2024, 2:30 PM
View All Files
Subscribers
epriestley
jevripio
Korvin
sowedance

Details

Reviewers
epriestley
Maniphest Tasks
Restricted Maniphest Task
Commits
Restricted Diffusion Commit
rPe281c5ee9045: Security - disable conduit act as user by default
Required Signatures
L28 Phacility Individual Contributor License Agreement
Summary

Introduce a new configuration setting that by default disables the conduit as as user method. Wordily explain that turning it on is not recommended. Fixes T3818.

Test Plan
15:25:19 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)
~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-tghb3b2gbdyezdcuw2or","userName":"btrahan","realName":"Bob Trahan","image":"http:\/\/phalanx.dev\/file\/data\/yncjbh7phk7ktrdhuorn\/PHID-FILE-qyf4ui3x2ll3e52hpg5e\/profile-profile-gravatar","uri":"http:\/\/phalanx.dev\/p\/btrahan\/","roles":["admin","verified","approved","activated"]}}
15:25:34 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)

<go edit libconfig/conduitclient to spoof another user...>

~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":"ERR-CONDUIT-CORE","errorMessage":"ERR-CONDUIT-CORE: security.allow-conduit-act-as-user is disabled","response":null}
15:26:40 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)

<enable option via bin/config....>

~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-6lcglnzbkiamdofishgi","userName":"xerxes","realName":"Xerxes Trahan","image":"http:\/\/phalanx.dev\/file\/data\/n2kyeevowetcuynbcxrg\/PHID-FILE-voquikectzpde256zzvm\/profile-1275455993.jpg","uri":"http:\/\/phalanx.dev\/p\/xerxes\/","roles":["verified","approved","activated"]}}

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

btrahan updated this revision to Diff 23720.Jul 10 2014, 10:28 PM
btrahan added a task: Restricted Maniphest Task.
btrahan retitled this revision from to Security - disable conduit act as user by default.
btrahan updated this object.
btrahan edited the test plan for this revision. (Show Details)
btrahan added a reviewer: epriestley.
Herald added a required legal document: L28 Phacility Individual Contributor License Agreement. · View Herald TranscriptJul 10 2014, 10:28 PM
Herald added subscribers: Korvin, epriestley. · View Herald Transcript
Harbormaster completed remote builds in B1619: Diff 23720.Jul 10 2014, 10:29 PM
epriestley accepted this revision.Jul 10 2014, 10:39 PM
epriestley edited edge metadata.
epriestley added subscribers: sowedance, jevripio.

@jevripio, @sowedance -- heads up that you'll need to flip this on if you rely on actAsUser. See T3818 for more discussion.

This revision is now accepted and ready to land.Jul 10 2014, 10:39 PM
btrahan closed this revision.Jul 10 2014, 10:41 PM
btrahan updated this revision to Diff 23721.

Closed by commit rPe281c5ee9045 (authored by @btrahan).

jevripio added a comment.Jul 10 2014, 11:13 PM

Will do, thanks for the heads up!

Revision Contents
Changeset List

PathSize
src/
applications/
conduit/
controller/
5 lines
config/
option/
18 lines

Diff 23721

View Options

src/applications/conduit/controller/PhabricatorConduitAPIController.php

Loading...
View Options

src/applications/config/option/PhabricatorSecurityConfigOptions.php

Loading...
Phabricator · Built by Phacility