It can be argued this is not Phabricators problem, however I would argue that this configuration situation is so common that Phabricators behaviour is a problem for many of us.
centos 6
nginx 1.x from webtatic
php 5.6.x from webtatic
phabricator 2c67d9c8ace2800ec618549963c4036e92cb3a9b (Fri, Mar 4)
arcanist 1439aaa871837031faa1ef26b81f1fb08e4a41e7 (Fri, Mar 4)
phutil 76425eaa812572cc02487db79f2dd43d93e3085f (Fri, Mar 4)
Problem:
Generated Project query had a . at the start of a URI path, which resulted in my nginx config returning a 403 Forbidden.
Steps to reproduce:
- Went to Projects
- click on Active
- Click Edit Query
- Select the Project briefcase Icon
- Clicked Execute Query
- Got a 403 with the url: https://phabricator.mynetwork.local/project/query/.hmmCj2i6C9j/
Why I think this is Phabricator and not my configuration problem:
It is extremely common to have nginx configuration to hide .htaccess, .svn, .gitignore, .idea and a plethora of other files that are meant to be hidden from being exposed through HTTP. Many projects, tutorials and guides recommend doing this, and here is mine, which I believe I may have gotten from the default CentOS' webtatic repo nginx configuration ships with:
# deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\. { access_log off; log_not_found off; deny all; }
Yes I fixed the issue by editing my nginx config, but it was not obvious what was going on at first. It could be argued that Phabricator forced me to make my nginx config less secure. I think phabricator could easily implement a fix for this and save a lot of us headaches.
The Fix:
Ensure that any generated url token when making custom queries (probably not just for Project) do not start with a ..
Sorry I can't contribute a patch at this time. :(