Summary of changes from January 16, 2018 to January 19, 2018.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rP3e983b583d | 0 commits |
| Arcanist | rARC | | rARC2e023322 | 0 commits |
| libphutil | rPHU | | rPHU2d8cdda | 1 commit |
| Instances (SAAS) | rSAAS | {icon lock} | rSAAS301336d | 0 commits |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICES9fe96c7 | 0 commits |
| Core (SAAS) | rCORE | {icon lock} | rCORE163f963 | 0 commits |
- These changes were promoted to `stable`.
General
======
This is just promoting `master` so T13025 (a large bulk editor rewrite) can land without triggering a lot of peril. Week 2, which was "released" a couple days ago, also didn't actually promote to `stable`, so this is the first `stable` with the handful of bugfixes from that release note (see [[ changelog/2018.02 ]]).
Security
========
We fixed an issue where URIs in the form `/\evil.com` were not recognized as remote URIs and thus evaded tabnabbing protection, even though all browsers treat `//evil.com` and `/\evil.com` as equivalent, valid links. This was reported to us via HackerOne, see [[ https://hackerone.com/reports/306414 | #306414 ]] (this issue may not have disclosed yet whenever you're reading this document).
This attack just enables [[ https://en.wikipedia.org/wiki/Tabnabbing | tabnabbing ]], which is most likely to be useful in very targeted phishing attacks, and generally isn't exceptionally dangerous.
Migrations
==========
- //No migrations in this period.//
Upgrading / Compatibility
=========================
- //No notes in this period.//
//The [{icon tint, color=sky}] icon indicates a change backed by support mana.//