HomePhabricator
Diffusion Phabricator 9dd0eca335d5

Lock feed.public and feed.http-hooks config options
9dd0eca335d5
Actions

Description

Lock feed.public and feed.http-hooks config options

Summary:
Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove feed.public completely (possibly providing API alternatives, if necessary).

Test Plan: Looked at options in web UI and saw them locked.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6817, T5726

Differential Revision: https://secure.phabricator.com/D11046

Details

Provenance
epriestleyAuthored on
epriestleyPushed on Dec 29 2014, 4:04 PM
Reviewer
chad
Differential Revision
D11046: Lock feed.public and feed.http-hooks config options
Parents
rP102e431feb01: Migrate Maniphest task blockers to modern EdgeType classes
Branches
Unknown
Tags
Unknown
Tasks
T6817: Token given feed entry's target link is not struck through and greyed out when the target is closed
T5726: Add more information to story POSTs during the feed.http-hooks hook

Changes (1)

PathSize
src/
applications/
feed/
config/

rP9dd0eca335d5

View Options

src/applications/feed/config/PhabricatorFeedConfigOptions.php

Loading...
Phabricator ยท Built by Phacility