SecurityTag
ActivePublic

Details

Description

Tasks related to enhancing the security of Phabricator.

Recent Activity

Sun, Apr 8

epriestley added a parent task for T13117: `patch` just runs any command?: T12664: Update diff/patch parsing to extract more metadata and parse a wider range of formats.
Sun, Apr 8, 12:59 PM · Security

Sat, Apr 7

epriestley added a comment to T13117: `patch` just runs any command?.

A related attack is a bare whatever.patch file which writes to .git/config or .hg/hgconfig or whatever.

Sat, Apr 7, 12:54 PM · Security

Thu, Apr 5

epriestley triaged T13117: `patch` just runs any command? as Normal priority.
Thu, Apr 5, 6:46 PM · Security

Fri, Mar 23

epriestley updated the task description for T13112: Safari, PDFs, and Content-Security-Policy interact oddly.
Fri, Mar 23, 11:50 AM · Safari, Security, Files
epriestley closed T13112: Safari, PDFs, and Content-Security-Policy interact oddly as Resolved.

Actually, it seems like rel="noreferrer" fixes this. This is bizarre so maybe this is a problem with a spooky ghost haunting my computer?

Fri, Mar 23, 11:48 AM · Safari, Security, Files
epriestley triaged T13112: Safari, PDFs, and Content-Security-Policy interact oddly as Normal priority.
Fri, Mar 23, 11:47 AM · Safari, Security, Files

Mar 15 2018

arend.danielek added a watcher for Security: arend.danielek.
Mar 15 2018, 9:46 PM

Mar 8 2018

epriestley closed T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy as Resolved.

Macro frowncat: Presuming this is resolved until I learn otherwise.

Mar 8 2018, 7:24 PM · Remarkup, Security, Macros
epriestley added a comment to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy.

very good memes

Mar 8 2018, 7:19 PM · Remarkup, Security, Macros
epriestley added a comment to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy.

Macro nyancat:  meow

Mar 8 2018, 7:19 PM · Remarkup, Security, Macros
epriestley added a comment to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy.

hmmm

Mar 8 2018, 7:18 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rP10b3ddf42657: Possibly fix memes in email.
Mar 8 2018, 7:09 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rPa3d282d33efe: Somewhat improve meme transform code so it is merely very bad.
Mar 8 2018, 7:09 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rPc7408f27977d: PhabricatorMemeEngine HA HA HA HA.
Mar 8 2018, 7:07 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rPa099a0626532: Remove some old image transform code with no callsites.
Mar 8 2018, 7:05 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19203: Possibly fix memes in email.
Mar 8 2018, 7:04 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19201: Somewhat improve meme transform code so it is merely very bad.
Mar 8 2018, 6:50 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19200: PhabricatorMemeEngine HA HA HA HA.
Mar 8 2018, 5:38 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19198: Remove some old image transform code with no callsites.
Mar 8 2018, 4:31 PM · Remarkup, Security, Macros
epriestley added a comment to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy.

Actually, HTML mail has an issue now.

Mar 8 2018, 4:00 PM · Remarkup, Security, Macros
epriestley added a comment to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy.

This is technically fixed now but the meme stuff is real old and rough so I'm going to maybe make some kind of effort to get through more of T5258, etc.

Mar 8 2018, 3:56 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rP98cac2cc2994: Always serve "{meme ...}" from the CDN domain, never from the primary domain.
Mar 8 2018, 3:47 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19196: Always serve "{meme ...}" from the CDN domain, never from the primary domain.
Mar 8 2018, 3:40 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rPb30535a36f5f: When rendering "{image ...}" images, check the cache and just render a direct….
Mar 8 2018, 3:04 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rP9d3a722eb1fe: When proxying an "{image ...}" image fails, show the user an error message.
Mar 8 2018, 3:03 PM · Remarkup, Security, Macros
epriestley added a commit to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: rP01bbd71b9683: Separate the "{img ...}" remarkup rule into separate parse and markup phases.
Mar 8 2018, 3:03 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19194: When rendering "{image ...}" images, check the cache and just render a direct "<img />" tag if possible.
Mar 8 2018, 2:51 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19193: When proxying an "{image ...}" image fails, show the user an error message.
Mar 8 2018, 1:36 PM · Remarkup, Security, Macros
epriestley added a revision to T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy: D19192: Separate the "{img ...}" remarkup rule into separate parse and markup phases.
Mar 8 2018, 1:03 PM · Remarkup, Security, Macros

Mar 7 2018

epriestley triaged T13101: The "{img ...}" and "{meme ...}" remarkup rules violate the new Content-Security-Policy as Normal priority.
Mar 7 2018, 11:11 PM · Remarkup, Security, Macros

Mar 5 2018

epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rPe43f2e0cee09: (stable) Don't emit Content-Security-Policy when returning a response during….
Mar 5 2018, 2:54 PM · Phacility, Security
epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rPf31975f7a3be: Don't emit Content-Security-Policy when returning a response during preflight….
Mar 5 2018, 2:54 PM · Phacility, Security
epriestley added a revision to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: D19172: Don't emit Content-Security-Policy when returning a response during preflight setup checks.
Mar 5 2018, 2:52 PM · Phacility, Security

Mar 2 2018

epriestley closed T4340: Implement Content-Security-Policy and Strict-Transport-Security headers as Resolved.

This is promoting soon and we seem to have come through it without too much damage. T13095 is a followup for style="..." attributes.

Mar 2 2018, 3:44 PM · Phacility, Security
epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's….
Mar 2 2018, 3:42 PM · Phacility, Security
epriestley added a revision to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: D19170: Include the primary domain in the Content-Security-Policy explicitly if there's no CDN.
Mar 2 2018, 3:03 PM · Phacility, Security

Mar 1 2018

epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rP94d340fcffab: Include OAuth targets in "form-action" Content-Security-Policy.
Mar 1 2018, 3:28 AM · Phacility, Security
epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rPHUdedf260c7755: Expose Content-Security-Policy form actions from OAuth1 authentication adapters.
Mar 1 2018, 3:28 AM · Phacility, Security
epriestley added a revision to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: D19160: Expose Content-Security-Policy form actions from OAuth1 authentication adapters.
Mar 1 2018, 3:26 AM · Phacility, Security
epriestley added a revision to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: D19159: Include OAuth targets in "form-action" Content-Security-Policy.
Mar 1 2018, 3:26 AM · Phacility, Security
epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rPd5befb1a0ea3: Block use of "<base />" in the Content Security Policy.
Mar 1 2018, 2:57 AM · Phacility, Security
epriestley added a revision to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: D19158: Block use of "<base />" in the Content Security Policy.
Mar 1 2018, 2:54 AM · Phacility, Security
epriestley triaged T13095: Remove all inline styles to support a "style-src 'self'/<cdn-domain>" Content-Security-Policy as Low priority.
Mar 1 2018, 2:12 AM · Security
epriestley closed T13094: Improve file behaviors around POST requests and downloads as Resolved.

These changes are all deployed here, now. The embed element only got touched lightly but is at least slightly better. See T4340 for further adventures in Content-Security-Policy.

Mar 1 2018, 1:26 AM · Security, Files
epriestley added a commit to T13094: Improve file behaviors around POST requests and downloads: rPa2fdf14275f9: Stop using forms to download files in file embed and lightbox elements.
Mar 1 2018, 1:21 AM · Security, Files
epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rPab579f251110: Never generate file download forms which point to the CDN domain, tighten "form….
Mar 1 2018, 1:20 AM · Phacility, Security
epriestley added a commit to T13094: Improve file behaviors around POST requests and downloads: rPab579f251110: Never generate file download forms which point to the CDN domain, tighten "form….
Mar 1 2018, 1:20 AM · Security, Files
epriestley added a commit to T13094: Improve file behaviors around POST requests and downloads: rPafc98f5d5d08: Remove defunct "download" route in Files pointing to nonexistent controller.
Mar 1 2018, 1:20 AM · Security, Files
epriestley added a commit to T4340: Implement Content-Security-Policy and Strict-Transport-Security headers: rPa5efd7eedb3c: Add "object-src 'none'" to the Content-Security-Policy.
Mar 1 2018, 1:19 AM · Phacility, Security
epriestley added a revision to T13094: Improve file behaviors around POST requests and downloads: D19157: Stop using forms to download files in file embed and lightbox elements.
Mar 1 2018, 1:19 AM · Security, Files