Tasks related to enhancing the security of Phabricator.
Oct 26 2022
There are some remaining non-security bugs with this that I'll follow up on in T13682. I believe the security side of this is now resolved.
The details of this attack will be disclosed at a later date, once installs have had some sort of plausible chance to upgrade.
May 27 2022
May 17 2022
May 9 2022
I believe D21811 covers this completely.
Apr 29 2022
Just for visibility, this is I believe the change that broke Diffusion (which was fixed in rP52df4ff515b7), where the error message is something like
Apr 20 2022
I believe these were all hunted down.
Apr 14 2022
I deployed this everywhere in the Phacility cluster yesterday and things have been quiet, so I'm assuming it worked until evidence arises to the contrary.
Apr 13 2022
D21756 effectively makes all Git pathways call setSudoAsDaemon(true).
Just for visibility, the error messages you'll see if you're affected by this issue look something like this:
...maybe this is an actual bug in Phabricator where some pathways are just missing the "sudo" wrapper?
Dec 2 2021
I'm satisfied that we aren't violating our commitment to our customers by continuing to use Mailgun as a service provider...
Aug 19 2021
Apr 8 2021
Yes. I closed down registration on this install (secure.phabricator.com) several years ago because the overwhelming majority of users who registered accounts here didn't read or follow the rules. Access to secure.phabricator.com is now invite-only.
Jan 28 2021
Jan 25 2021
Jan 20 2021
Jan 19 2021
Please use Discourse to report bugs. See https://discourse.phabricator-community.org/t/repository-view-git-command-failed-error/4510/.
It works with Git 2.1.4 (shipped with Debian Wheezy), but not with Git 2.20.1 (shipped with Debian Buster), or Git 2.30.0 (latest version).
My apologies if this is not the right place to post about this, but seems like due to ea9cb0b625fb6922c45aecbfdebacc60788ed92d we now get following error message when visiting diffusion repository page, i.e. URL /diffusion/$REPOID/: