Page MenuHomePhabricator

SecurityTag
ActivePublic

Details

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity

Yesterday

epriestley added a commit to T12509: Plan the path forward from HMAC-SHA1: rP080fb1985f29: Upgrade an old "weakDigest()" inside TOTP synchronization code.
Fri, Dec 14, 12:16 AM · Infrastructure, Security
epriestley added a commit to T13225: Complete session digest migration from SHA1 to SHA256: rP1d34238dc945: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.
Fri, Dec 14, 12:15 AM · Installing & Upgrading, Infrastructure, Security

Thu, Dec 13

epriestley added a revision to T9770: It is possible to use the same 2FA token more than once: D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Thu, Dec 13, 11:44 PM · Security, Auth
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHUcad1985726c9: Fix construction of two new qsprintf() exceptions.
Thu, Dec 13, 8:22 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D19884: Upgrade an old "weakDigest()" inside TOTP synchronization code.
Thu, Dec 13, 8:19 PM · Infrastructure, Security
epriestley added a revision to T13225: Complete session digest migration from SHA1 to SHA256: D19883: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.
Thu, Dec 13, 7:31 PM · Installing & Upgrading, Infrastructure, Security
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19882: Fix construction of two new qsprintf() exceptions.
Thu, Dec 13, 7:01 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley triaged T13225: Complete session digest migration from SHA1 to SHA256 as Low priority.
Thu, Dec 13, 6:42 PM · Installing & Upgrading, Infrastructure, Security

Wed, Dec 12

epriestley closed T4131: Store LDAP domain as credential source for LDAP external accounts as Wontfix.

I think we're going to fix this with T7667 instead. Binding to a particular domain creates headaches if you actually move the LDAP server, and unlocked authentication creates a lot of other problems that we can't address in a similar way.

Wed, Dec 12, 8:25 PM · Security, Auth
epriestley moved T4131: Store LDAP domain as credential source for LDAP external accounts from Backlog to Next on the Auth board.
Wed, Dec 12, 8:24 PM · Security, Auth
epriestley moved T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI from Backlog to Next on the Auth board.
Wed, Dec 12, 8:19 PM · Auth, Security
epriestley moved T9770: It is possible to use the same 2FA token more than once from Backlog to Next on the Auth board.
Wed, Dec 12, 8:03 PM · Security, Auth
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP2814d340367c: Fix a stray qsprintf() in the Herald rules engine when recording rule….
Wed, Dec 12, 7:31 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19872: Fix a stray qsprintf() in the Herald rules engine when recording rule application to objects.
Wed, Dec 12, 6:59 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley closed T13217: Upgrading: Hardening of qsprintf() as Resolved.

There are probably some stragglers that have yet to turn up, but we appear to have survived this largely unscathed.

Wed, Dec 12, 6:19 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPd8e2bb9f0f51: Fix some straggling qsprintf() warnings in repository import.
Wed, Dec 12, 5:21 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19869: Fix some straggling qsprintf() warnings in repository import.
Wed, Dec 12, 1:25 PM · Installing & Upgrading, Infrastructure, Security, Guides

Mon, Nov 26

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP88189f723f05: Make a Feed query construction less clever/sneaky for new qsprintf() semantics.
Mon, Nov 26, 6:47 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a project to T13223: "Land Revision" builds a commit message as an omnipotent user, not the revision author or landing user: Drydock.
Mon, Nov 26, 5:53 PM · Drydock, Policy, Differential, Security
epriestley triaged T13223: "Land Revision" builds a commit message as an omnipotent user, not the revision author or landing user as Low priority.
Mon, Nov 26, 5:53 PM · Drydock, Policy, Differential, Security

Sun, Nov 25

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19837: Make a Feed query construction less clever/sneaky for new qsprintf() semantics.
Sun, Nov 25, 9:40 PM · Installing & Upgrading, Infrastructure, Security, Guides

Wed, Nov 21

epriestley added a commit to T6960: Support %P in qsprintf(): rPHU35d0ec2dfa59: Keep the new "%P" query conversion out of the service call profiler by….
Wed, Nov 21, 3:55 PM · Security, Infrastructure
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHU35d0ec2dfa59: Keep the new "%P" query conversion out of the service call profiler by….
Wed, Nov 21, 3:55 PM · Installing & Upgrading, Infrastructure, Security, Guides

Tue, Nov 20

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): Restricted Diffusion Commit.
Tue, Nov 20, 4:46 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP4967cd6ab941: Fix some "%Q" behavior in PhortuneMerchantQuery.
Tue, Nov 20, 4:00 PM · Installing & Upgrading, Infrastructure, Security, Guides

Mon, Nov 19

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): Restricted Diffusion Commit.
Mon, Nov 19, 3:39 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T6960: Support %P in qsprintf(): Restricted Diffusion Commit.
Mon, Nov 19, 3:39 PM · Security, Infrastructure

Sat, Nov 17

epriestley updated the task description for T13217: Upgrading: Hardening of qsprintf().
Sat, Nov 17, 1:35 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T6960: Support %P in qsprintf(): Restricted Differential Revision.
Sat, Nov 17, 1:21 AM · Security, Infrastructure
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): Restricted Differential Revision.
Sat, Nov 17, 1:21 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19820: Fix some "%Q" behavior in PhortuneMerchantQuery.
Sat, Nov 17, 1:20 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): Restricted Differential Revision.
Sat, Nov 17, 1:12 AM · Installing & Upgrading, Infrastructure, Security, Guides

Fri, Nov 16

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP933462b4873b: Continue cleaning up queries in the wake of changes to "%Q".
Fri, Nov 16, 8:49 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T6960: Support %P in qsprintf(): rP49483bdb4823: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.
Fri, Nov 16, 8:36 PM · Security, Infrastructure
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP49483bdb4823: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.
Fri, Nov 16, 8:36 PM · Installing & Upgrading, Infrastructure, Security, Guides

Thu, Nov 15

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19814: Continue cleaning up queries in the wake of changes to "%Q".
Thu, Nov 15, 2:00 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.
Thu, Nov 15, 1:32 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T6960: Support %P in qsprintf(): D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.
Thu, Nov 15, 1:32 PM · Security, Infrastructure
epriestley added a revision to T6960: Support %P in qsprintf(): D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.
Thu, Nov 15, 1:28 PM · Security, Infrastructure
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.
Thu, Nov 15, 1:28 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley updated the task description for T13217: Upgrading: Hardening of qsprintf().
Thu, Nov 15, 1:26 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP86fd2041484f: Fix all query warnings in "arc unit --everything".
Thu, Nov 15, 11:51 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHU0e6ee5937ca5: Add "%Z" (Raw Query) and "%LK" (List of Columns for Keys) to qsprintf().
Thu, Nov 15, 11:50 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP2f10d4adebf9: Continue making application fixes to Phabricator for changes to %Q semantics.
Thu, Nov 15, 11:50 AM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP98690ee326ce: Update many Phabricator queries for new %Q query semantics.
Thu, Nov 15, 11:48 AM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 14 2018

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP64b52b9952dd: Make SELECT construction in PolicyAwareQuery safer.
Nov 14 2018, 11:32 PM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 13 2018

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19801: Fix all query warnings in "arc unit --everything".
Nov 13 2018, 6:33 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19800: Add "%Z" (Raw Query) and "%LK" (List of Columns for Keys) to qsprintf().
Nov 13 2018, 6:29 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPda40f8074106: Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics.
Nov 13 2018, 4:59 PM · Installing & Upgrading, Infrastructure, Security, Guides
epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHU2ec24ec0d3d2: Make "%LO" and "%LA" more readable when there is only one subclause.
Nov 13 2018, 4:52 PM · Installing & Upgrading, Infrastructure, Security, Guides