Page MenuHomePhabricator

2011-08 August
Updated 3,236 Days AgoPublic

Summary of significant changes to Phabricator, Arcanist and libphutil in August 2011.


  • Fixed a security hole where an attacker can execute CSRF attacks by uploading a Java applet and then tricking a victim into visiting a page which embeds it. See the configuration file for details. Completely stopping this attack requires some configuration.
  • Fixed a CSRF hole in drag-and-drop file uploads.
  • Fixed a CSRF hole in Conduit.
  • Added a CSRF write guard across the entire stack.
  • Tightened cookie security policies.


  • Added "arc upload".
  • Added "arc download".
  • Added "arc paste".
  • Added a "--json" mode to "arc upload".
  • Added an XHPAST rule for brace formatting.
  • Added an XHPAST hook for overriding naming warnings.
  • Fixed bugs in binary file detection.
  • Added basic support for Mercurial.
  • Added local commit information to DCVS diffs.


  • Added a method.
  • Added a paste.create method.
  • Added a maniphest.createtask method.
  • Added a maniphest.find method.
  • Added a method.
  • Added a method.
  • Added a method.
  • Added a phriction.edit method.
  • Added a phriction.history method.


  • Refined copy for "Show 20 Lines".
  • Added "J" and "K" (uppercase) to jump between files.
  • Added custom field specifications. The review schema is now largely runtime-configurable.
  • Fixed a bug with the interaction between "Reply" and "Undo".
  • For DVCS revisions, Differential now shows local commit information.


  • Improved display behavior of commit messages.
  • Fixed a bug where Diffusion wouldn't show "empty directory" when it should.
  • Fixed a bug where SVN file moves displayed incorrectly.
  • Fixed a bug where the daemon could get stuck on deleted repositories.


  • Added an S3 storage engine.


  • Added custom field support, which allows runtime configuration of task fields.
  • Added file attach control to task creation workflow.
  • Added task status edit control on the task edit workflow.
  • Maniphest now uses the active project filter as the default project value when creating a new task.
  • Added task dependencies.
  • Added "Create Another Task", "Create Subtask" and "Create Another Subtask" workflows.
  • Maniphest now renders the entire task status, not just "Closed" (e.g., "Invalid", "Wontfix") on the list view.


  • Removed JX.defer.


  • Added IRC auth support.
  • Added SSL support.
  • Fixed a bug where the bot would try to JOIN too quickly.
  • Added support for slowvote object references.


  • Added a "description" field for edits.


  • Added detection for 'open_basedir'.
  • Added detection for 'safe_mode'.
  • Added detection for bad 'date.timezone'.
  • Improved pcntl detection.


  • Fixed a bug where "disk full" would be incorrectly detected.
  • Added Filesystem::writeUniqueFile().
  • Fixed an XHPAST issue with statement lists.
  • Improved HTTP/HTTPS futures.


  • Loosened @mention parsing to allow "@mention." at the end of a sentence.
  • Added the ability to upload SSH public keys.
  • Added a rough version of drag-and-drop file uploads to Remarkup.
  • Merged "Preferences" into "Settings".
  • Improved GC daemon for large Herald transcript datasets.
  • Added "esc" as a documented keystroke to keystroke help.
  • Added a "Rainbow" syntax highlighter.
  • Improved unit test MySQL isolation somewhat.
  • Many documentation updates.
  • Rendered object handles now show object status where applicable (e.g., a closed task is rendered with strikethru).
  • Added a full object reference syntax to Remarkup.
  • Made search engines pluggable.
  • Fixed error messages when file uploads fail.
  • Herald rules in the X-Herald-Rules header are now sticky and persist across later emails.
  • Improved unhandled exception dialogs and stack traces.
  • Allowed use of "Reply-To" to authorize reply emails.
  • Added tracking for content sources (e.g., email, web, conduit).
  • Made Phriction links more powerful.
Last Author
Last Edited
Jul 2 2012, 10:26 PM

Event Timeline