Changeset View
Changeset View
Standalone View
Standalone View
src/applications/config/option/PhabricatorSecurityConfigOptions.php
| Show All 19 Lines | final class PhabricatorSecurityConfigOptions | ||||
| } | } | ||||
| public function getOptions() { | public function getOptions() { | ||||
| $support_href = PhabricatorEnv::getDoclink('Give Feedback! Get Support!'); | $support_href = PhabricatorEnv::getDoclink('Give Feedback! Get Support!'); | ||||
| $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain'); | $doc_href = PhabricatorEnv::getDoclink('Configuring a File Domain'); | ||||
| $doc_name = pht('Configuration Guide: Configuring a File Domain'); | $doc_name = pht('Configuration Guide: Configuring a File Domain'); | ||||
| // This is all of the IANA special/reserved blocks in IPv4 space. | |||||
| $default_address_blacklist = array( | |||||
| '0.0.0.0/8', | |||||
| '10.0.0.0/8', | |||||
| '100.64.0.0/10', | |||||
| '127.0.0.0/8', | |||||
| '169.254.0.0/16', | |||||
| '172.16.0.0/12', | |||||
| '192.0.0.0/24', | |||||
| '192.0.2.0/24', | |||||
| '192.88.99.0/24', | |||||
| '192.168.0.0/16', | |||||
| '198.18.0.0/15', | |||||
| '198.51.100.0/24', | |||||
| '203.0.113.0/24', | |||||
| '224.0.0.0/4', | |||||
| '240.0.0.0/4', | |||||
| '255.255.255.255/32', | |||||
| ); | |||||
| return array( | return array( | ||||
| $this->newOption('security.alternate-file-domain', 'string', null) | $this->newOption('security.alternate-file-domain', 'string', null) | ||||
| ->setLocked(true) | ->setLocked(true) | ||||
| ->setSummary(pht('Alternate domain to serve files from.')) | ->setSummary(pht('Alternate domain to serve files from.')) | ||||
| ->setDescription( | ->setDescription( | ||||
| pht( | pht( | ||||
| 'By default, Phabricator serves files from the same domain '. | 'By default, Phabricator serves files from the same domain '. | ||||
| 'the application is served from. This is convenient, but '. | 'the application is served from. This is convenient, but '. | ||||
| ▲ Show 20 Lines • Show All 169 Lines • ▼ Show 20 Lines | return array( | ||||
| ->setSummary( | ->setSummary( | ||||
| pht('Determines whether or not YouTube videos get embedded.')) | pht('Determines whether or not YouTube videos get embedded.')) | ||||
| ->setDescription( | ->setDescription( | ||||
| pht( | pht( | ||||
| "If you enable this, linked YouTube videos will be embeded ". | "If you enable this, linked YouTube videos will be embeded ". | ||||
| "inline. This has mild security implications (you'll leak ". | "inline. This has mild security implications (you'll leak ". | ||||
| "referrers to YouTube) and is pretty silly (but sort of ". | "referrers to YouTube) and is pretty silly (but sort of ". | ||||
| "awesome).")), | "awesome).")), | ||||
| $this->newOption('security.allow-outbound-http', 'bool', true) | $this->newOption( | ||||
| ->setBoolOptions( | 'security.outbound-blacklist', | ||||
| array( | 'list<string>', | ||||
| pht('Allow'), | $default_address_blacklist) | ||||
| pht('Disallow'), | |||||
| )) | |||||
| ->setLocked(true) | ->setLocked(true) | ||||
| ->setSummary( | ->setSummary( | ||||
| pht('Allow outbound HTTP requests.')) | pht( | ||||
| 'Blacklist subnets to prevent user-initiated outbound '. | |||||
| 'requests.')) | |||||
| ->setDescription( | ->setDescription( | ||||
| pht( | pht( | ||||
| 'If you enable this, you are allowing Phabricator to '. | 'Phabricator users can make requests to other services from '. | ||||
| 'potentially make requests to external servers.')), | 'the Phabricator host in some circumstances (for example, by '. | ||||
| 'creating a repository with a remote URL or having Phabricator '. | |||||
| 'fetch an image from a remote server).'. | |||||
| "\n\n". | |||||
| 'This may represent a security vulnerability if services on '. | |||||
| 'the same subnet will accept commands or reveal private '. | |||||
| 'information over unauthenticated HTTP GET, based on the source '. | |||||
| 'IP address. In particular, all hosts in EC2 have access to '. | |||||
| 'such a service.'. | |||||
| "\n\n". | |||||
| 'This option defines a list of netblocks which Phabricator '. | |||||
| 'will decline to connect to. Generally, you should list all '. | |||||
| 'private IP space here.')) | |||||
| ->addExample(array('0.0.0.0/0'), pht('No Outbound Requests')), | |||||
| $this->newOption('security.strict-transport-security', 'bool', false) | $this->newOption('security.strict-transport-security', 'bool', false) | ||||
| ->setLocked(true) | ->setLocked(true) | ||||
| ->setBoolOptions( | ->setBoolOptions( | ||||
| array( | array( | ||||
| pht('Use HSTS'), | pht('Use HSTS'), | ||||
| pht('Do Not Use HSTS'), | pht('Do Not Use HSTS'), | ||||
| )) | )) | ||||
| ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).')) | ->setSummary(pht('Enable HTTP Strict Transport Security (HSTS).')) | ||||
| ▲ Show 20 Lines • Show All 75 Lines • Show Last 20 Lines | |||||