General ======= - Phabricator now requires the daemons to be running in order to send mail or perform search indexing. Primarily, this should simplify configuration. It allowed us to delete a lot of fallback code which attempted to perform these tasks slowly and poorly if the daemons were not running. - Sessions have been reworked, but should not impact users much. There is now a Settings > Sessions panel which allows you to view sessions. Among other things, this simplified configuration. - Search indexing now happens in the daemons. - Added Mailgun support. - Logged-out users can now view the homepage, on installs which allow public access. - Passphrase can now detect and handle SSH private keys with passwords. - Added a "Quick Create" menu, to let you quickly create tasks, pastes, etc. - Many UI/design improvements. - Workboards are slightly more functional. Security ======== - Disabled entity expansion in XML by default. Phabricator does not currently parse any untrusted XML and thus was not vulnerable, but this behavior is generally terrifying. For discussion of how this issue impacted Facebook and other products, see [[https://www.facebook.com/BugBounty/posts/778897822124446 | "We recently awarded our biggest bug bounty payout ever" (Facebook)]]. - Added a blacklist for common passwords. This mitigates attacks where a botnet is used to try logging in to many accounts very slowly using common passwords. For discussion of how this attack impacted GitHub, see [[http://www.theverge.com/2013/11/20/5126906/weak-github-passwords-lead-to-account-security-breach | "Weak GitHub passwords lead to account security breach" (The Verge)]]. (We are not aware of any attacks of this nature against Phabricator in the wild.) - We slightly changed the behavior of the `next` cookie which controls where you are redirected after you login. Previously, we would not set this cookie on 404 pages, which would allow an attacker to determine if a URI was routable by checking for the cookie in the response. We now are more selective about when we overwrite the cookie, and no longer leak URI routability information to logged-out users. We are not aware of anything useful that attackers could have done with this information. - We now issue anonymous sessions to logged out users and enforce CSRF against logged-out actions. Particularly, this prevents an attacker from logging a victim into an account the attacker controls after tricking them into visiting a malicious page. This attack was not directly useful, but could have been a component in a more sophisticated chain of compromise. This issue was reported to us via [[ https://hackerone.com | HackerOne ]], and we awarded a $300 bounty for it. - The welcome / password reset workflow is now more strict to prevent similar attacks, where an attacker could have tricked a victim into logging in with an account the attacker controls. This issue was reported to us via [[ https://hackerone.com | HackerOne ]], and we awarded a $300 bounty for it. - We received 9 other reports via HackerOne in this period that we do not believe represent security vulnerabilities: - (2 reports) Password autocomplete is enabled. This is intentional. - (1 report) Sessions do not expire quickly, and users can log in from multiple browsers. This is intentional, as many users rely on these behaviors in their daily work. - (1 report) Referrer handling. This is discussed in T4342. - (1 report) XSS requiring interaction with browser debugging tools. We could not reproduce this and do not believe it is an issue with Phabricator. - (1 report) Permissioning on Files is not always as clear as it could be. We have plans to improve this, but this is mostly a product issue. - (1 report) We use the RC4 cipher on `secure.phabricator.com`. This is intentional, common, and not covered by the award program. We may choose a different cipher suite when the certificate expires in a few months. - (1 report) We include Javascript directly from CDNs on `phabricator.org`. This is intentional, common, and not covered by the award program. The site also does not have any cookies or authenticated content. - (1 report) User typed short missive (in French) decrying Facebook into the form. We do not believe this constitutes a security vulnerability in Phabricator. Arcanist ======== - Arcanist is now smarter about auto-identifying repositories. - `arc which` now explains repository identification. - Arcanist now considers no-op amends to be successful in Mercurial. Diffusion ========= - Repositories can now be associated with projects. - Herald pre-commit rules can now act on Repository projects. - SVN and Git repositories now support custom commit hooks. - Herald rules against commits now handle "enormous" commits consistently. - We now support mirroring for imported (vs hosted) repositories. - We now support mirroring for Mercurial repositories. - Repository clone commands are now more usable and produce better results for users. Remarkup ======== - Added an __underline__ rule. - Added "WARNING" and "IMPORTANT" blocks, similar to the existing "NOTE" block. You can now use parentheses to suppress the block header: type "(NOTE)" instead of "NOTE:". WARNING: This is a warning. IMPORTANT: This is not actually important. (NOTE) This note block has a suppressed header. Bugfixes ======== - Fixed an issue where some link patterns in Remarkup would be captured too aggressively. - Fixed an infinite loop in `PhutilFileTree` for files with names that PHP could interpret as numbers. - Fixed a problem with parsing blame in files with trailing whitespace lines in Mercurial. - Fixed a language issue where `arc` would claim it was rebasing when it was actually merging. - Fixed an issue where the daemons could "repair" a Git repository using HTTP credentials into a broken state. - Mercurial repositories can now have the "dangerous changes" flag toggled. - Burnup chart now shows more integers. Developer ========= - PHPAST now almost completely supports PHP 5.5. - Added `%R` to `csprintf()` for printing more readable arguments. - Celerity now supports multiple static resource maps. - Database migrations are now easier to manage. - Garbage collector is now modular.