Page MenuHomePhabricator
Feed Advanced Search

Apr 8 2021

epriestley added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

Yes. I closed down registration on this install (secure.phabricator.com) several years ago because the overwhelming majority of users who registered accounts here didn't read or follow the rules. Access to secure.phabricator.com is now invite-only.

Apr 8 2021, 12:53 PM · Security, Git
holmboe added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

Please use Discourse to report bugs.

Apr 8 2021, 9:47 AM · Security, Git

Jan 28 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21528: Correct Diffusion browse behavior when visiting a path URI with no trailing slash.
Jan 28 2021, 12:34 AM · Security, Git

Jan 25 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21519: Correct Git repository browse behavior for differences in "ls-tree" output.
Jan 25 2021, 5:10 PM · Security, Git

Jan 20 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21512: Correct a straggling CLI format string after ref selector changes.
Jan 20 2021, 11:04 PM · Security, Git
epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21511: Further correct and disambigutate ref selectors passed to Git on the CLI.
Jan 20 2021, 7:44 PM · Security, Git
epriestley updated the task description for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 20 2021, 6:47 PM · Security, Git

Jan 19 2021

epriestley added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

Please use Discourse to report bugs. See https://discourse.phabricator-community.org/t/repository-view-git-command-failed-error/4510/.

Jan 19 2021, 3:34 PM · Security, Git
Abbe added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

It works with Git 2.1.4 (shipped with Debian Wheezy), but not with Git 2.20.1 (shipped with Debian Buster), or Git 2.30.0 (latest version).

Jan 19 2021, 12:00 PM · Security, Git
Abbe added a comment to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.

My apologies if this is not the right place to post about this, but seems like due to ea9cb0b625fb6922c45aecbfdebacc60788ed92d we now get following error message when visiting diffusion repository page, i.e. URL /diffusion/$REPOID/:

Jan 19 2021, 11:44 AM · Security, Git

Jan 15 2021

epriestley changed the visibility for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 15 2021, 6:45 PM · Security, Git
epriestley changed the visibility for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 15 2021, 6:44 PM · Security, Git

Jan 12 2021

epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21510: Disambiguate Git ref selectors in some Git command line invocations.
Jan 12 2021, 8:11 PM · Security, Git
epriestley updated the task description for T13589: Git may interpret refnames as flags in some commands which accept both refs and paths.
Jan 12 2021, 8:10 PM · Security, Git
epriestley added a revision to T13589: Git may interpret refnames as flags in some commands which accept both refs and paths: D21509: Provide "gitsprintf(...)" and disambiguate Git ref selectors.
Jan 12 2021, 8:09 PM · Security, Git
epriestley triaged T13589: Git may interpret refnames as flags in some commands which accept both refs and paths as Normal priority.
Jan 12 2021, 6:26 PM · Security, Git

Aug 5 2020

epriestley updated the task description for T13241: Guide: SMS is Insecure.
Aug 5 2020, 7:22 PM · Security, Guides

Apr 30 2020

adrelanos added a watcher for Security: adrelanos.
Apr 30 2020, 7:59 PM

Jul 31 2019

epriestley closed T13350: Ancient "slowvote.info" API method bypasses policy checks as Resolved by committing rP2ec39afcd12b: Deprecate ancient "slowvote.info" API method.
Jul 31 2019, 6:28 PM · Slowvote, Security
epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20687: Deprecate ancient "slowvote.info" API method.
Jul 31 2019, 6:26 PM · Slowvote, Security
epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20686: Fix two minor display issues with the Conduit "*.search" API documentation.
Jul 31 2019, 6:22 PM · Slowvote, Security
epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20685: Add a "slowvote.poll.search" API method.
Jul 31 2019, 6:17 PM · Slowvote, Security

Jul 30 2019

epriestley added a revision to T13350: Ancient "slowvote.info" API method bypasses policy checks: D20684: Fix policy behavior of "slowvote.info" API method.
Jul 30 2019, 6:53 PM · Slowvote, Security
epriestley triaged T13350: Ancient "slowvote.info" API method bypasses policy checks as Low priority.
Jul 30 2019, 6:46 PM · Slowvote, Security

Jul 15 2019

amckinley closed T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI, a subtask of T6755: Allow more granular configuration of `security.allow-outbound-http`, as Resolved.
Jul 15 2019, 6:53 PM · Security
amckinley closed T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI as Resolved by committing rP7852adb84bbe: Actually enforce auth.lock-config.
Jul 15 2019, 6:53 PM · Auth, Security

Jul 10 2019

amckinley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: D20645: Actually enforce auth.lock-config.
Jul 10 2019, 3:05 PM · Auth, Security

Apr 18 2019

epriestley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: Restricted Differential Revision.
Apr 18 2019, 2:05 PM · Auth, Security
epriestley added a comment to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI.

This could be made slightly cleaner with a setSummary() to set a shorter summary:

Apr 18 2019, 2:02 PM · Auth, Security
epriestley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: D20447: Don't warn about a locked database value after users run "bin/auth lock".
Apr 18 2019, 12:24 AM · Auth, Security
epriestley added a comment to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI.

hmmmmmm

Apr 18 2019, 12:21 AM · Auth, Security

Apr 11 2019

amckinley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: D20400: Some formatting changes for showing auth provider config guidance.
Apr 11 2019, 8:16 PM · Auth, Security

Apr 10 2019

amckinley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: D20394: Add a workflow and a new config option for locking authentication providers.
Apr 10 2019, 10:35 PM · Auth, Security

Feb 2 2019

epriestley renamed T13245: Improve MFA security by using replacing SMS code digits with emoji from Improve MFA security by using replacing digits with emoji to Improve MFA security by using replacing SMS code digits with emoji.
Feb 2 2019, 6:46 PM · Security
epriestley triaged T13245: Improve MFA security by using replacing SMS code digits with emoji as Low priority.
Feb 2 2019, 6:46 PM · Security

Jan 29 2019

epriestley added a comment to T6994: Write a general "Security guidelines" document.

Some guidance about "configure captchas if you're a public-facing, password-login install" would be good here too

Jan 29 2019, 7:21 PM · Security

Jan 25 2019

epriestley added a revision to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI: D20038: Require MFA to edit MFA providers.
Jan 25 2019, 6:45 PM · Auth, Security
epriestley added a comment to T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI.

After T13222, this is more relevant:

Jan 25 2019, 6:31 PM · Auth, Security
epriestley added a comment to T13138: Improve consistency of MFA requirements to invite/approve users.

From T13222, MFA on related flows should generally be updated.

Jan 25 2019, 6:28 PM · People, Security
epriestley updated the task description for T13241: Guide: SMS is Insecure.
Jan 25 2019, 3:57 PM · Security, Guides

Jan 21 2019

epriestley closed T13238: Disallow MYSQLI_OPT_LOCAL_INFILE as Resolved by committing rPHU1d3b33d4ccbf: Move "options(MYSQLI_OPT_LOCAL_INFILE, ...)" call after "real_connect()".
Jan 21 2019, 6:33 PM · Infrastructure, Security
epriestley added a revision to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE: D20004: Move "options(MYSQLI_OPT_LOCAL_INFILE, ...)" call after "real_connect()".
Jan 21 2019, 3:38 PM · Infrastructure, Security
epriestley added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

Thanks! I get the same behavior locally, I filed this upstream: https://bugs.php.net/bug.php?id=77496

Jan 21 2019, 3:34 PM · Infrastructure, Security
vrana added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

I can't get MYSQLI_OPT_LOCAL_INFILE to work on secure, either. I tried on secure001 and secure004 (where the database is not local). As far as I can tell, this option doesn't do anything, anywhere, ever?

Jan 21 2019, 8:27 AM · Infrastructure, Security

Jan 20 2019

epriestley lowered the priority of T13238: Disallow MYSQLI_OPT_LOCAL_INFILE from Low to Wishlist.

We're probably done here, but ideally the next steps are:

Jan 20 2019, 3:14 PM · Infrastructure, Security

Jan 18 2019

epriestley added a revision to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE: Restricted Differential Revision.
Jan 18 2019, 5:40 PM · Infrastructure, Security
epriestley added a revision to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE: D19999: Add setup warnings for "local_infile" (MySQL Server) and "mysql[i].allow_local_infile" (PHP Client).
Jan 18 2019, 5:37 PM · Infrastructure, Security
epriestley added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

Maybe another point in favor of this claim is that the option does not work is the behavior of this:

Jan 18 2019, 5:02 PM · Infrastructure, Security
epriestley added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

I think that maybe mysql_nonapi.c just overrides the conn->options() call? Near line 269 of PHP 7.2.3:

Jan 18 2019, 4:57 PM · Infrastructure, Security
epriestley added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

I can't get MYSQLI_OPT_LOCAL_INFILE to work on secure, either. I tried on secure001 and secure004 (where the database is not local). As far as I can tell, this option doesn't do anything, anywhere, ever? I'm going to look at the source and see if I can figure out what's going on, but I'll back it out of D19998 if I can't find some evidence that it's useful.

Jan 18 2019, 4:49 PM · Infrastructure, Security
epriestley added a revision to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE: D19998: Set MYSQLI_OPT_LOCAL_INFILE (which appears to have no effect) and raise unusual query errors more clearly.
Jan 18 2019, 4:37 PM · Infrastructure, Security
epriestley added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

I'm unable to get the MySQLi option MYSQLI_OPT_LOCAL_INFILE to actually work. Here's the script I'm using:

Jan 18 2019, 4:15 PM · Infrastructure, Security
epriestley added a comment to T13238: Disallow MYSQLI_OPT_LOCAL_INFILE.

It looks like we don't need to do anything about mysql on the CLI since this option is, thankfully, not enabled by default:

Jan 18 2019, 4:04 PM · Infrastructure, Security
epriestley triaged T13238: Disallow MYSQLI_OPT_LOCAL_INFILE as Low priority.
Jan 18 2019, 4:01 PM · Infrastructure, Security

Jan 16 2019

epriestley closed T13234: Application email addresses may shadow user email addresses as Resolved by committing rPc5f446defb52: Prevent application email addresses from shadowing user email addresses.
Jan 16 2019, 9:28 PM · Mail, Security

Jan 15 2019

epriestley updated the task description for T13234: Application email addresses may shadow user email addresses.
Jan 15 2019, 2:37 PM · Mail, Security
epriestley added a revision to T13234: Application email addresses may shadow user email addresses: D19974: Prevent application email addresses from shadowing user email addresses.
Jan 15 2019, 2:35 PM · Mail, Security
epriestley added a comment to T13234: Application email addresses may shadow user email addresses.

Performing this "attack" requires administrator privileges and probably some weird social engineering around making the "Reply All" happen.

Jan 15 2019, 2:23 PM · Mail, Security

Jan 14 2019

epriestley moved T13234: Application email addresses may shadow user email addresses from Backlog to Soon? on the Mail board.
Jan 14 2019, 5:19 PM · Mail, Security
epriestley moved T12046: PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045] from Future to Infrastructure on the Mail board.
Jan 14 2019, 4:55 PM · Mail, Security

Jan 4 2019

epriestley added a comment to T13234: Application email addresses may shadow user email addresses.

When Phabricator receives the mail, it doesn't know which "To" or "Cc" actually caused delivery

Jan 4 2019, 10:45 PM · Mail, Security
epriestley triaged T13234: Application email addresses may shadow user email addresses as Low priority.
Jan 4 2019, 10:39 PM · Mail, Security

Jan 3 2019

epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D19946: Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256.
Jan 3 2019, 2:08 PM · Infrastructure, Security
epriestley added a comment to T12509: Plan the path forward from HMAC-SHA1.

In moving forward here, we're generally moving from manually-configured HMAC keys to automatic ones. This is generally good: it's simpler (less configuration); and I believe almost no one configured the old ones, so installs now actually get unique HMAC keys; and the new keys have more entropy, too.

Jan 3 2019, 1:25 PM · Infrastructure, Security
epriestley added a comment to T6994: Write a general "Security guidelines" document.

See a note in T12509 about HMAC key regeneration.

Jan 3 2019, 1:21 PM · Security
epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D19945: Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key".
Jan 3 2019, 1:18 PM · Infrastructure, Security

Jan 2 2019

epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D19941: Remove an old digest in Celerity code and some obsolete configuration options.
Jan 2 2019, 4:56 AM · Infrastructure, Security

Dec 18 2018

epriestley added a revision to T13226: Consider login/session alerts, and other security alerts (for example, around MFA): D19905: Make partial sessions expire after 30 minutes, and do not extend them.
Dec 18 2018, 7:58 PM · Auth, Security
epriestley triaged T13226: Consider login/session alerts, and other security alerts (for example, around MFA) as Low priority.
Dec 18 2018, 2:20 PM · Auth, Security

Dec 17 2018

epriestley closed T9770: It is possible to use the same 2FA token more than once as Wontfix.

After the stack of changes under D19897 land:

Dec 17 2018, 10:22 PM · Security, Auth
epriestley closed T13186: Upgrading: Legacy "Can Edit <Field>" policies in Maniphest; requireCapabilities() in TransactionEditor as Resolved.

This appears to be stable and working properly. D19897 removes a straggling guardrail.

Dec 17 2018, 8:46 PM · Security, Policy, ApplicationEditor, Guides, Installing & Upgrading

Dec 13 2018

epriestley added a revision to T9770: It is possible to use the same 2FA token more than once: D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Dec 13 2018, 11:44 PM · Security, Auth
epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D19884: Upgrade an old "weakDigest()" inside TOTP synchronization code.
Dec 13 2018, 8:19 PM · Infrastructure, Security
epriestley added a revision to T13225: Complete session digest migration from SHA1 to SHA256: D19883: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.
Dec 13 2018, 7:31 PM · Installing & Upgrading, Infrastructure, Security
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19882: Fix construction of two new qsprintf() exceptions.
Dec 13 2018, 7:01 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley triaged T13225: Complete session digest migration from SHA1 to SHA256 as Low priority.
Dec 13 2018, 6:42 PM · Installing & Upgrading, Infrastructure, Security

Dec 12 2018

epriestley closed T4131: Store LDAP domain as credential source for LDAP external accounts as Wontfix.

I think we're going to fix this with T7667 instead. Binding to a particular domain creates headaches if you actually move the LDAP server, and unlocked authentication creates a lot of other problems that we can't address in a similar way.

Dec 12 2018, 8:25 PM · Security, Auth
epriestley moved T4131: Store LDAP domain as credential source for LDAP external accounts from Backlog to Next on the Auth board.
Dec 12 2018, 8:24 PM · Security, Auth
epriestley moved T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI from Backlog to Next on the Auth board.
Dec 12 2018, 8:19 PM · Auth, Security
epriestley moved T9770: It is possible to use the same 2FA token more than once from Backlog to Next on the Auth board.
Dec 12 2018, 8:03 PM · Security, Auth
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19872: Fix a stray qsprintf() in the Herald rules engine when recording rule application to objects.
Dec 12 2018, 6:59 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley closed T13217: Upgrading: Hardening of qsprintf() as Resolved.

There are probably some stragglers that have yet to turn up, but we appear to have survived this largely unscathed.

Dec 12 2018, 6:19 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19869: Fix some straggling qsprintf() warnings in repository import.
Dec 12 2018, 1:25 PM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 26 2018

epriestley added a project to T13223: "Land Revision" builds a commit message as an omnipotent user, not the revision author or landing user: Drydock.
Nov 26 2018, 5:53 PM · Drydock, Policy, Differential, Security
epriestley triaged T13223: "Land Revision" builds a commit message as an omnipotent user, not the revision author or landing user as Low priority.
Nov 26 2018, 5:53 PM · Drydock, Policy, Differential, Security

Nov 25 2018

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19837: Make a Feed query construction less clever/sneaky for new qsprintf() semantics.
Nov 25 2018, 9:40 PM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 17 2018

epriestley updated the task description for T13217: Upgrading: Hardening of qsprintf().
Nov 17 2018, 1:35 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T6960: Support %P in qsprintf(): Restricted Differential Revision.
Nov 17 2018, 1:21 AM · Security, Infrastructure
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): Restricted Differential Revision.
Nov 17 2018, 1:21 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19820: Fix some "%Q" behavior in PhortuneMerchantQuery.
Nov 17 2018, 1:20 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): Restricted Differential Revision.
Nov 17 2018, 1:12 AM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 15 2018

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19814: Continue cleaning up queries in the wake of changes to "%Q".
Nov 15 2018, 2:00 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.
Nov 15 2018, 1:32 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T6960: Support %P in qsprintf(): D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.
Nov 15 2018, 1:32 PM · Security, Infrastructure
epriestley added a revision to T6960: Support %P in qsprintf(): D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.
Nov 15 2018, 1:28 PM · Security, Infrastructure
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.
Nov 15 2018, 1:28 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley updated the task description for T13217: Upgrading: Hardening of qsprintf().
Nov 15 2018, 1:26 PM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 13 2018

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19801: Fix all query warnings in "arc unit --everything".
Nov 13 2018, 6:33 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19800: Add "%Z" (Raw Query) and "%LK" (List of Columns for Keys) to qsprintf().
Nov 13 2018, 6:29 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley closed T6960: Support %P in qsprintf() as Resolved by committing rPHUf842247de41a: Support %P (Password or Secret) in qsprintf().
Nov 13 2018, 4:48 PM · Security, Infrastructure