I made this change and deployed it to secure, and this "critical security vulnerability" is now a proper Phabricator 404 page:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Apr 20 2022
May 14 2021
A point against AllowEncodedSlashes Off which I hadn't connected the dots on is that "security researchers" from HackerOne will report URLs like this as "content injection vulnerabilities" for all time:
Mar 17 2021
Given the generally high degree of mootness here, I'm not planning to add a setup test or recommend installs adjust the setting.
Previously, see T13437.
This reproduces locally.
Mar 13 2021
Mar 5 2021
This is promoting to stable shortly and looks complete to me, thanks!
Mar 3 2021
Jan 20 2021
Sep 4 2020
Feb 7 2020
https://discourse.phabricator-community.org/t/activities-notifications-spam/3286/ is likely a case where curl was not installed on the CLI, but was installed in the web SAPI.
Nov 25 2019
In D20927, I implemented a policy rule like this:
Sep 26 2019
Sep 8 2019
Aug 12 2019
Aug 11 2019
Dec 28 2018
...it is virtually inconceivable to me that this is something we would ever bring upstream in any form.
Dec 19 2018
I'll get this actually landed, but here's the patch I'm using for ForceUser until I get there:
I was also able to get OpenSSH 7.9p1 to build cleanly on OS X Mojave 10.14.2. For posterity:
(Please use Discourse for this sort of discussion.)
It's been several year's since this task has been opened up, and it's not clear what the current progress on this. Is there a way that versioning please be added to GitHub, per the recommendations on https://github.com/Homebrew/homebrew-php/pull/3864 ? I'm not able to install arcanist currently using homebrew because there isn't a stable tagged version newer than one from 2012.
Nov 15 2018
Good news: recent versions of sshd can pass the key fingerprint to the AuthorizedKeysCommand with %f: https://bugzilla.mindrot.org/show_bug.cgi?id=2081
OpenSSH 7.9p1 builds cleanly and does not segfault immediately if configured like this:
Yikes on rPe57bfbf421f4. Let me see if I can make this build.
Oct 2 2018
Sep 24 2018
Aug 10 2018
Jul 31 2018
Jul 26 2018
Jul 21 2018
Jul 20 2018
I made it as far as locala.phacility.com working right so maybe I got everything?
The GRANT syntax also appears to have changed. We currently do this (in Phacility-specific code):
Jul 18 2018
- Install XCode. Find the secret "Install Command Line Tools" option inside the Hidden Chamber of XCode and click it.
xcode-select --install should be possible without a full XCode installation.
Build just the extension from source?
Jul 17 2018
May 18 2018
The companion "provide more guidance" patch would be something like this:
This is involved, and default_authentication_plugin=mysql_native_password doesn't fix it.
May 17 2018
May 16 2018
An adjacent issue is that the actual connection exception doesn't make it up to setup guidance. It's somewhat tricky to raise it through the stack since the mechanics are substantially delegated to a bunch of cluster connection management, but we should make more of an effort to get it up to top level.
In MySQL 8.0.4:
Apr 21 2018
Apr 20 2018
I'm happy to bring either change upstream if you want to do the legwork. We could also move them to a wiki page or something. No option here feels particularly good to me.
install_ubuntu.sh seems to be completely broken for modern Ubuntu. I don't mind updating it, but I think we discussed dumping it completely?
Nov 30 2017
Nov 28 2017
Another variation of this is that "Mailing List" users' addresses also can't be edited from the web UI.
Aug 6 2017
Yep, agreed that the re-targeted proposal is a better solution... I had just assumed that this was a documentation oversight.
Aug 3 2017
I retargeted this; I think the proposed solution is not the best solution we can find to the problem.
Aug 2 2017
Jul 28 2017
T12941 is a third case of a user with no mysql or mysqli.
Jul 18 2017
Jul 9 2017
Jun 11 2017
Jun 8 2017
There are debian and ubuntu packages for arcanist:
although popcon data (66) suggests that the debian one is not in wide use.
May 30 2017
If you believe this is not an issue with a bad SAPI binary, please file a new bug report including reproduction steps I can follow to reproduce the issue (see Providing Reproduction Steps for guidance).
May 29 2017
Now i have changed that
May 20 2017
May 19 2017
May 15 2017
Apr 17 2017
Mar 21 2017
Once arc is installed, you can just run arc update. Given the plan to also distribute linters, etc, this would still be preferable for each individual installation vs. us.
Commenting here since you merged T12429. I find surprising you put Arcanist in the same bucket as Phabricator. I think you don't even have to do all the work to make Arcanist users happy. I might be wrong, but I think there will be people adding support for Arcanist to their favorite package manager (I'm ignoring Windows), if only they'd have tags or marked releases to work with?
Mar 20 2017
Mar 11 2017
Bug reports need complete reproduction instructions and complete version information. See Contributing Bug Reports, Providing Reproduction Steps, and Providing Version Information.
Jan 27 2017
Jan 9 2017
FWIW this affected us as well, we switched from cloudflare back to cloudfront and hit this snag. The default settings do not forward Host header, we had to add that ourselves. Didn't need to change anything else, though - it seems that cloudfront performs loose SSL validation and is OK with the certificate/host mismatch. (Maybe it at least requires the host to match the origin domain - not sure.)
Dec 9 2016
I think we now test everything we've seen except RocketLoader (which is hard to test and hasn't come up too much recently) and not serving .whatever paths (which we've only ever seen one instance of, and which is also somewhat hard to test). I'm going to consider this resolved for now until we see more issues.