Page MenuHomePhabricator

Ancient "feed.publish" API is (at best) long obsolete, and arguably exploitable
Closed, ResolvedPublic



The ancient feed.publish API, introduced in D593, has (to my knowledge) never been used by anyone to do anything. At the time, the feed system was more modular and ad-hoc; after the "transaction" architecture took hold the feed architecture became more of a view of transactions.

This method predates the policy system and doesn't really do any kind of checks on anything, and callers can publish made-up feed stories. They can't necessarily do anything genuinely harmful with this (the best the HackerOne researcher could find was "make it look like you awarded an object you can't see a token") but these writes are inappropriate in modern Phabricator and there is no reason for this method to exit.

Revisions and Commits

Related Objects