Page MenuHomePhabricator

arice (Alex Rice)
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
Apr 5 2011, 7:14 PM (677 w, 1 d)
Availability
Available

Recent Activity

Sep 12 2016

arice added a comment to T11618: "Edit Form Configuration" transaction history not easily accessible.

You're right! That probably makes is more feature request, less bug report. (extremely low priority FR)

Sep 12 2016, 8:45 PM · Contributor Onboarding, Bug Report
arice updated the task description for T11618: "Edit Form Configuration" transaction history not easily accessible.
Sep 12 2016, 8:44 PM · Contributor Onboarding, Bug Report
arice created T11618: "Edit Form Configuration" transaction history not easily accessible.
Sep 12 2016, 5:13 AM · Contributor Onboarding, Bug Report

Mar 13 2014

arice added a comment to T4593: Mitigate OAuth session theft.

Whatever bug is preventing the removal of phabricator.com from App Domains is at fault here. It's presence authorizes the entirety of the domain for the OAuth flows (unless overridden by "Valid OAuth redirect URIs"). We (Facebook) need to do a much better job of guiding developers through reducing OAuth attack surface - the redesigned dev site is noticeably worse in this context.

Mar 13 2014, 6:27 PM · Security

Mar 10 2014

arice added a comment to D8481: Don't 302 to an external URI, even after CSRF POST.

It's slightly convoluted, but once Phabricator has the app secret, it's able to check the configuration by obtaining an app access token.

Mar 10 2014, 10:38 PM
arice added a comment to D8481: Don't 302 to an external URI, even after CSRF POST.

Adding to the list of potential mitigations, I do think it's worthwhile to ask installs to explicitly whitelist the full path. It's tricky to identify all situations where these params leak through referrers or other means and using a single path is a healthy precaution. This would mean that any changes to the auth URI would be a breaking change to existing installs, so you'll need to decide if the URIs are sufficiently stable at this point.

Mar 10 2014, 10:08 PM