Cloudflare recently disclosed that a bug in their reverse proxies inadvertently dumped uninitialized memory from proxy hosts, including the plaintext of private requests and responses, into public responses.
See some details and discussion on Hacker News: https://news.ycombinator.com/item?id=13718752
Phacility SAAS does not use Cloudflare, so hosted Phacility instances are unaffected.
This host (secure.pharicator.com) uses Cloudflare as a CDN, and third-party self-hosted installs may be configured with Cloudflare. However, if you have configured Cloudflare according to the documentation (i.e., using it as a CDN frontend for the security.alternate-file-domain, but not placing your primary servers behind it) the risk is small:
- Almost all data served via Cloudflare in this configuration is not sensitive or interesting (CSS and Javascript, all of which is open source).
- There is a small possibility that some file content from files stored in the Files application (which is also served through the CDN) leaked. In some cases, this may include source code accessed via "View Raw File" in Diffusion (which creates a temporary file in Files).
- Cookies, sessions, revision content, credentials stored in Passphrase, main site content, repositories, API responses, etc., are never sent to or from the CDN domain and thus were not at risk.
In this case, the most reasonable response is probably to do nothing, which is what we plan to do.
If you have configured your entire install behind Cloudflare (we do not encourage this in the documentation), you are at greater risk, as anything sent to or served by Phabricator could have been leaked. If you believe you are affected and would like help rotating sessions and invalidating credentials, let us know.
Broadly, there is nothing Phabricator could have done differently to anticipate or prevent this issue.