Summary of changes from December 14, 2018 to December 31, 2018.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rP106e90dcf | 44 commits |
| Arcanist | rARC | | rARC25c23819 | 1 commit |
| libphutil | rPHU | | rPHUcad1985 | 0 commits |
| Instances (SAAS) | rSAAS | {icon lock} | rSAAS4624462 | 1 commit |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICES019a12a | 0 commits |
| Core (SAAS) | rCORE | {icon lock} | rCORE5ec5042 | 1 commit |
- These changes were promoted to `stable`.
General
=======
[{icon tint, color=sky}] **Updates to MFA**: MFA now binds challenges to sessions and workflows. If you are challenged to provide MFA to (for example) sign a Legalpad document, the response to that challenge can not be used by a different session or on a different workflow (for example, it can not be used to upgrade a partial session to a full session).
For TOTP, this generally defuses attacks which target the window of vulnerability between you unlocking your phone and the workflow completing, while the code is displayed but your response has not yet been submitted to or confirmed by the server.
Attacks on this window generally have the shape of an adversary using a spyglass to observe your phone screen from afar and typing the code in really fast, before you can type it yourself.
The attacker may increase the size of this window by disrupting your network connection, spilling coffee on you as you type the prompt in, etc. This class of attacks is generally not terribly threatening and usually requires the attacker either be physically present or have substantial control over the client machine and the network.
TOTP responses may still be reused, but only by the same session on the same workflow and only until the workflow the challenge is guarding is completed. In essentially all cases, this serves to allow you to complete a multi-part MFA challenge (where you have two or more MFA factors configured) in a step-by-step way if you make an error, rather than requiring you to respond to a new challenge for each factor. This behavior intentionally violates RFC 6238. See T9770.
A new "Sign With MFA" comment action is available. This action will prompt you to provide MFA credentials and mark your actions as authenticated.
Maniphest may now be configured (in `maniphest.statuses`) to require MFA for all interactions with tasks in certain statuses.
Security
========
[{icon tint, color=sky}] MFA is generally undergoing changes in this release and upcoming releases, see above.
Migrations
==========
| Migration | Risk | Duration | Notes |
|-----------|------|----------|-------|
| 20181213.auth.06.challenge.sql | | 14 ms |
| 20181214.auth.01.workflowkey.sql | | 21 ms |
| 20181218.pholio.01.imageauthor.sql | | 50 ms |
| 20181217.auth.01.digest.sql | | 29 ms |
| 20181217.auth.02.ttl.sql | | 19 ms |
| 20181217.auth.03.completed.sql | | 20 ms |
| 20181219.pholio.01.imagephid.sql | | 58 ms |
| 20181219.pholio.02.imagemigrate.php | | 472 ms |
| 20181219.pholio.03.imageid.sql | | 46 ms |
| 20181220.pholio.01.mailkey.php | | 240 ms |
| 20181220.pholio.02.dropmailkey.sql | | 44 ms |
//"Duration" is the duration for this install, and may not be representative.//
Upgrading / Compatibility
=========================
This release includes some API changes which may affect third-party code:
[{icon tint, color=sky}] The `TYPE_AUTH_WILLLOGIN` event has been removed. There is no replacement.
[{icon tint, color=sky}] The `willApplyTransactions()` method on `TransactionEditor` has been removed. There is no direct replacement because this method did not have a clearly defined role.
[{icon tint, color=sky}] The `willRenderTimeline()` method has been removed from `ApplicationTransactionInterface`. Almost no upstream objects implemented this method. The new `PhabricatorTimelineInterface` replaces it.
[{icon tint, color=sky}] The `getApplicationTransactionObject()` method has been removed from `ApplicationTransactionInterface`. No upstream objects implemented this method and a large body of application transaction code did not call it correctly anyway.
[{icon tint, color=sky}] MFA factor implementations have changed and will continue to change in upcoming releases. Although we aren't aware of any third-party MFA factor implementations, you'll need to update them if you have any.
[{icon tint, color=sky}] Some `Mock` and `Image` behavior in Pholio has changed internally. Third party code which interacts direclty with Pholio may be affected.
Minor
=====
- When more than 100 projects match a typeahead query, active projects now appear first.
- Webhooks now report errors in a more human-readable way.
- Webhooks now include a reminder if your instance is in silent mode.
- The Phrequent curtain UI element now shows time spent with higher precision.
- [{icon tint, color=sky}] Partial sessions now last for 30 minutes and are not extended by ongoing activity.
- [{icon tint, color=sky}] `bin/auth recover` can now recover full sessions directly, bypassing MFA.
Developer
=========
- The upstream linters now detect `continue;` inside `switch (...)`.
- Added a `@{config:...}` remarkup rule.
//The [{icon tint, color=sky}] icon indicates a change backed by support mana.//