Page MenuHomePhabricator
Create Task
Maniphest T4039

Prevent a repository from being set to the same "local path" as some other repository
Closed, ResolvedPublic
Actions

Description

This is no longer a security issue, but it would still be vaguely nice to prevent several repositories from being mapped to the same local path. Nothing good can ever come of such a setup.

Previously...

An attacker with "Create Repository" permission can theoretically access repositories they are not permitted to view by creating a repository with the same local path as another repository.

Revisions and Commits

rP Phabricator
D15837rPdd2b10b8f859 Guarantee repositories have unique local paths
D7579rPf5ca647d2c52 Add `bin/repository edit` for CLI repository editing
D7580rP2dc8065d1143 Prevent Repository local path edit from the web UI

Related Objects

Event Timeline

epriestley created this task.Oct 31 2013, 5:35 PM
epriestley claimed this task.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Diffusion.
epriestley added a subscriber: epriestley.
epriestley added a comment.Nov 8 2013, 5:26 PM

I think we need to lock "Local Path" from the web UI in general, since I can point it somewhere outside of the repo directory to read non-managed repositories.

epriestley edited this Maniphest Task.Nov 13 2013, 5:24 PM
epriestley edited this Maniphest Task.Nov 13 2013, 5:33 PM
epriestley edited this Maniphest Task.Nov 13 2013, 7:26 PM
epriestley edited this Maniphest Task.
epriestley lowered the priority of this task from Normal to Wishlist.Nov 13 2013, 7:30 PM
epriestley updated the task description. (Show Details)
epriestley removed a project: Security.
joshuaspence added a subscriber: joshuaspence.May 30 2015, 1:22 AM
epriestley mentioned this in T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API.Apr 7 2016, 11:01 PM
eadler added a project: Restricted Project.Apr 8 2016, 6:40 PM
Herald added a subscriber: eadler. · View Herald TranscriptApr 8 2016, 6:40 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 8 2016, 6:40 PM
epriestley added a revision: D15837: Guarantee repositories have unique local paths.May 3 2016, 7:40 PM
epriestley added a commit: rPdd2b10b8f859: Guarantee repositories have unique local paths.May 4 2016, 11:09 PM
epriestley closed this task as Resolved.May 4 2016, 11:15 PM

D15837 appears to have deployed cleanly here.

Phabricator · Built by Phacility