Page MenuHomePhabricator

Not secure generating
Closed, InvalidPublic

Description

Version Information

phabricator 9829ecddd695e7c1d866576da098fa2830855511 (Jan 27 2017)
arcanist f3037bf216e52e14f01e5c93158c6c767b94696d (Tue, Feb 14)
phutil 82f71f62129bc19f28aeed8c660c931e512a66e7 (Thu, Feb 9)

When we use Advanced search, sometimes we recieve link like this:
~ /maniphest/query/.ntEyFuV3n0a/#R
~ /search/query/.*

And we need to allow access to names which start from "dot" in our security rules.
This is not secure, can you provide deny rule to generate name with "dot" in start?

Event Timeline

chad added a subscriber: chad.Mar 6 2017, 3:17 PM

This is not a bug. If you feel this is a security issue, please file an appropriate task on HackerOne. https://hackerone.com/phabricator

epriestley closed this task as Invalid.Mar 6 2017, 5:15 PM
epriestley added a subscriber: epriestley.

Sometimes, Apache is configured with a rule which prevents any access to any URL which contains /..

My understanding is that the primary reason for this is to prevent accidental access to .htaccess files, which may contain raw passwords in some obscure configurations. The attack is: load http://secret-stuff.mycompany.com/.htaccess, and if things are sufficiently misconfigured that might serve some (HTTP Basic Auth) credentials which you can then reuse to attack http://admin:hunter42@extra-secret-stuff.mycompany.com/. A blanket denial of /. paths raises the barrier to making this configuration mistake.

Phabricator is not compatible with this rule and can not be made compatible with it. Although we could strip initial dots from query URLs, we can not reasonably serve a URL to a file like /.gitignore in Diffusion without having /. in the URL.

Incompatibility with this rule in the context of Phabricator itself is not a security concern, and this is not a bug in Phabricator.

If this rule is an important part of your security model for the rest of your server (which, it think, is questionable in a serious, modern setup), you should configure this rule to only apply outside of Phabricator.