Projects Security

SecurityTag
ActivePublic
Watch Project

Members (5)
View All

arice (Alex Rice)
User
btrahan (Bob Trahan)
Utility player
chad (Chad Little)
Design Litre
epriestley (Evan Priestley)
Overengineer
vrana (Jakub Vrána)
Simplificator

Watchers (8)
View All

Details

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity
View All

Yesterday

epriestley added a commit to T12509: Plan the path forward from HMAC-SHA1: rP080fb1985f29: Upgrade an old "weakDigest()" inside TOTP synchronization code.

Fri, Dec 14, 12:16 AM · Infrastructure, Security

epriestley added a commit to T13225: Complete session digest migration from SHA1 to SHA256: rP1d34238dc945: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.

Fri, Dec 14, 12:15 AM · Installing & Upgrading, Infrastructure, Security

Thu, Dec 13

epriestley added a revision to T9770: It is possible to use the same 2FA token more than once: D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.

Thu, Dec 13, 11:44 PM · Security, Auth

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHUcad1985726c9: Fix construction of two new qsprintf() exceptions.

Thu, Dec 13, 8:22 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T12509: Plan the path forward from HMAC-SHA1: D19884: Upgrade an old "weakDigest()" inside TOTP synchronization code.

Thu, Dec 13, 8:19 PM · Infrastructure, Security

epriestley added a revision to T13225: Complete session digest migration from SHA1 to SHA256: D19883: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.

Thu, Dec 13, 7:31 PM · Installing & Upgrading, Infrastructure, Security

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19882: Fix construction of two new qsprintf() exceptions.

Thu, Dec 13, 7:01 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley triaged T13225: Complete session digest migration from SHA1 to SHA256 as Low priority.

Thu, Dec 13, 6:42 PM · Installing & Upgrading, Infrastructure, Security

Wed, Dec 12

epriestley closed T4131: Store LDAP domain as credential source for LDAP external accounts as Wontfix.

I think we're going to fix this with T7667 instead. Binding to a particular domain creates headaches if you actually move the LDAP server, and unlocked authentication creates a lot of other problems that we can't address in a similar way.

Wed, Dec 12, 8:25 PM · Security, Auth

epriestley moved T4131: Store LDAP domain as credential source for LDAP external accounts from Backlog to Next on the Auth board.

Wed, Dec 12, 8:24 PM · Security, Auth

epriestley moved T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI from Backlog to Next on the Auth board.

Wed, Dec 12, 8:19 PM · Auth, Security

epriestley moved T9770: It is possible to use the same 2FA token more than once from Backlog to Next on the Auth board.

Wed, Dec 12, 8:03 PM · Security, Auth

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP2814d340367c: Fix a stray qsprintf() in the Herald rules engine when recording rule….

Wed, Dec 12, 7:31 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19872: Fix a stray qsprintf() in the Herald rules engine when recording rule application to objects.

Wed, Dec 12, 6:59 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley closed T13217: Upgrading: Hardening of qsprintf() as Resolved.

There are probably some stragglers that have yet to turn up, but we appear to have survived this largely unscathed.

Wed, Dec 12, 6:19 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPd8e2bb9f0f51: Fix some straggling qsprintf() warnings in repository import.

Wed, Dec 12, 5:21 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19869: Fix some straggling qsprintf() warnings in repository import.

Wed, Dec 12, 1:25 PM · Installing & Upgrading, Infrastructure, Security, Guides

Mon, Nov 26

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP88189f723f05: Make a Feed query construction less clever/sneaky for new qsprintf() semantics.

Mon, Nov 26, 6:47 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a project to T13223: "Land Revision" builds a commit message as an omnipotent user, not the revision author or landing user: Drydock.

Mon, Nov 26, 5:53 PM · Drydock, Policy, Differential, Security

epriestley triaged T13223: "Land Revision" builds a commit message as an omnipotent user, not the revision author or landing user as Low priority.

Mon, Nov 26, 5:53 PM · Drydock, Policy, Differential, Security

Sun, Nov 25

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19837: Make a Feed query construction less clever/sneaky for new qsprintf() semantics.

Sun, Nov 25, 9:40 PM · Installing & Upgrading, Infrastructure, Security, Guides

Wed, Nov 21

epriestley added a commit to T6960: Support %P in qsprintf(): rPHU35d0ec2dfa59: Keep the new "%P" query conversion out of the service call profiler by….

Wed, Nov 21, 3:55 PM · Security, Infrastructure

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHU35d0ec2dfa59: Keep the new "%P" query conversion out of the service call profiler by….

Wed, Nov 21, 3:55 PM · Installing & Upgrading, Infrastructure, Security, Guides

Tue, Nov 20

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): Restricted Diffusion Commit.

Tue, Nov 20, 4:46 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP4967cd6ab941: Fix some "%Q" behavior in PhortuneMerchantQuery.

Tue, Nov 20, 4:00 PM · Installing & Upgrading, Infrastructure, Security, Guides

Mon, Nov 19

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): Restricted Diffusion Commit.

Mon, Nov 19, 3:39 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T6960: Support %P in qsprintf(): Restricted Diffusion Commit.

Mon, Nov 19, 3:39 PM · Security, Infrastructure

Sat, Nov 17

epriestley updated the task description for T13217: Upgrading: Hardening of qsprintf().

Sat, Nov 17, 1:35 AM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T6960: Support %P in qsprintf(): Restricted Differential Revision.

Sat, Nov 17, 1:21 AM · Security, Infrastructure

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): Restricted Differential Revision.

Sat, Nov 17, 1:21 AM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19820: Fix some "%Q" behavior in PhortuneMerchantQuery.

Sat, Nov 17, 1:20 AM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): Restricted Differential Revision.

Sat, Nov 17, 1:12 AM · Installing & Upgrading, Infrastructure, Security, Guides

Fri, Nov 16

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP933462b4873b: Continue cleaning up queries in the wake of changes to "%Q".

Fri, Nov 16, 8:49 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T6960: Support %P in qsprintf(): rP49483bdb4823: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.

Fri, Nov 16, 8:36 PM · Security, Infrastructure

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP49483bdb4823: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.

Fri, Nov 16, 8:36 PM · Installing & Upgrading, Infrastructure, Security, Guides

Thu, Nov 15

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19814: Continue cleaning up queries in the wake of changes to "%Q".

Thu, Nov 15, 2:00 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.

Thu, Nov 15, 1:32 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T6960: Support %P in qsprintf(): D19812: Use "%P" to protect session key hashes in SessionEngine queries from DarkConsole.

Thu, Nov 15, 1:32 PM · Security, Infrastructure

epriestley added a revision to T6960: Support %P in qsprintf(): D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.

Thu, Nov 15, 1:28 PM · Security, Infrastructure

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19811: Keep the new "%P" query conversion out of the service call profiler by unmasking later.

Thu, Nov 15, 1:28 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley updated the task description for T13217: Upgrading: Hardening of qsprintf().

Thu, Nov 15, 1:26 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP86fd2041484f: Fix all query warnings in "arc unit --everything".

Thu, Nov 15, 11:51 AM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHU0e6ee5937ca5: Add "%Z" (Raw Query) and "%LK" (List of Columns for Keys) to qsprintf().

Thu, Nov 15, 11:50 AM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP2f10d4adebf9: Continue making application fixes to Phabricator for changes to %Q semantics.

Thu, Nov 15, 11:50 AM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP98690ee326ce: Update many Phabricator queries for new %Q query semantics.

Thu, Nov 15, 11:48 AM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 14 2018

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rP64b52b9952dd: Make SELECT construction in PolicyAwareQuery safer.

Nov 14 2018, 11:32 PM · Installing & Upgrading, Infrastructure, Security, Guides

Nov 13 2018

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19801: Fix all query warnings in "arc unit --everything".

Nov 13 2018, 6:33 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a revision to T13217: Upgrading: Hardening of qsprintf(): D19800: Add "%Z" (Raw Query) and "%LK" (List of Columns for Keys) to qsprintf().

Nov 13 2018, 6:29 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPda40f8074106: Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics.

Nov 13 2018, 4:59 PM · Installing & Upgrading, Infrastructure, Security, Guides

epriestley added a commit to T13217: Upgrading: Hardening of qsprintf(): rPHU2ec24ec0d3d2: Make "%LO" and "%LA" more readable when there is only one subclause.

Nov 13 2018, 4:52 PM · Installing & Upgrading, Infrastructure, Security, Guides