2014-02 February
Updated 1,271 Days AgoPublic

General

  • Several important security changes, see below.
  • Projects are now mailable (you can CC them in all interfaces). This will send mail to all members of the project.
    • Users can now unsubscribe from projects. They will retain project membership, but stop receiving mail via the project.
  • Projects now support custom fields and transactions.
  • We've soft-launched project boards. This feature is still very early, see T1344 for details.
  • Differential's infrastructure is undergoing a major overhaul. It should mostly function the same way, but see T4481 for feedback and rough edges. It will soon offer full support for custom fields and transactions.
  • Calendar has received infrastructure and UI updates, but doesn't have much new functionality yet.
  • Fixed an issue where initial import of Git and Mercurial repositories could take far too much time and memory.

Security

  • We fixed two important security issues which allowed attackers to bypass the auth.email-domains setting. For details, see T4469. Installs using this setting are strongly advised to upgrade.
    • One issue related to MySQL truncation behavior. We now recommend installs configure STRICT_ALL_TABLES to systematically defuse this class of attack. We received this report via HackerOne, and awarded a $1,000 bounty for it.
    • The second issue built on the first issue and related to MySQL unicode handling. We no longer permit construction of queries which MySQL handles irregularly, which systematically defuses this class of attack. We received this report via HackerOne, and awarded a $500 bounty for it.
  • Our implementation of JIRA and Twitter OAuth1 was vulnerable to a CSRF attack where an attacker potentially could trick a logged out victim into registering and logging into a Phabricator account linked to the attacker's existing external account. This is targeted, complicated, and does not have much impact if successful. OAuth2 providers and the account link workflows were not vulnerable. We received this report via HackerOne and awarded a $300 bounty for it.
  • We received 17 additional reports via HackerOne in this period which we do not consider to represent vulnerabilities:
    • (3 reports) Missing SPF records for administrative domains. This is outside the scope of the award program. We will add these eventually (see T4439) but think this presents very little risk for now.
    • (2 reports) Reports about server configuration and software versions. Server configuration is outside the scope of the award program and Phabricator is not vulnerable to any of the issues which were reported.
    • (2 report) Brute force attacks against password logins. We throttle attempts using CAPTCHAs, but don't start immediately, and the researchers didn't hit the threshold.
    • (1 report) Researcher found a bug which we fixed (an error message was not rendered correctly), but it had no security impact.
    • (1 report) Default minimum password complexity could be higher. This is intentional and attempts to strike a balance between usability and security; administrators are free to configure longer minimums.
    • (1 report) Password autocomplete is enabled. This is intentional.
    • (1 report) A piece of security scanner software incorrectly identified code which was not vulnerable as a vulnerability.
    • (1 report) We serve CSS and JS libraries from predictable locations, by design.
    • (1 report) CSRF via password reset links. We believe the researcher was using an old copy of Phabricator, since we fixed this about a month ago and their report had no new information.
    • (1 report) We report OAuth2 error strings directly to the UI, which allows an attacker to spoof an error message. These errors are heavily contextualized (it is clear they are login errors resulting from the OAuth handshake) and we can not control or whitelist their content. We think not showing these errors would be worse overall, because it would make it more difficult to configure and use OAuth2, while we believe there is very little risk of an attacker confusing a user with this mechanism.
    • (1 report) We are uneven about escaping some user data in some log files, which could potentially allow an attacker to spoof log lines. For completeness we'll address this eventually (see T4472) but do not consider it to represent a security vulnerability.
    • (1 report) A hypothetical attack scenario which does not actually work in practice.
    • (1 report) Login/registration workflow tokens are stored durably, but do not need to be. See T3471. We will change this eventually but do not consider it to represent a significant threat at this time.
  • We have modularized password hashing mechanisms and now show more information about hash algorithms to administrators and users, upgrade hashing when passwords are used if a better algorithm is available, and prompt users to upgrade to stronger algorithms. Prior to this update, we performed key stretching by iterating md5(), which is not great but served as a reasonable lowest common denominator (it is available on all supported PHP versions without extensions). We will now prefer bcrypt if it is available. You can find more information in the Username/Password provider in the Auth application. If you're interested in support for scrypt, PBKDF2, or crypt()-based bcrypt, let us know. See T4443 for discussion.
  • Fixed a serialization issue. This had only theoretical impact.
  • Added explicit CSRF to email verification. This had only theoretical impact.

Compatibility and Upgrading

  • We've migrated a large amount of data in the last month. If you upgrade monthly, plan for a bit of additional downtime. See T3516 for details.
  • We have removed the license linters from the upstream. For discussion, see T2274. We currently have little material evidence that maintaining license or copyright information in source files is a best practice. We removed this information ourselves more than a year ago, and deprecated these linters around that time.
  • We've removed an old mechanism for adding actions to Differential. See T3795 for details. We believe very few installs were using this. A standard event mechanism is available as a replacement.
  • We're aggressively obsoleting Differential FieldSpecifications. They will be replaced with custom fields soon. Few installs use these; if you do, you'll need to migrate to custom fields. The two implementations are very similar and this migration should be straightforward.

Search

  • Global search now uses ApplicationSearch infrastructure.
  • You can change the default scope of the global search by dragging a different filter to the top of the list.
  • Rebuilding search indexes with bin/search index now also rebuilds custom field indexes.

Herald

  • Added a rule for new vs updated objects.
  • Added support for task priorities.
  • Minor improvements to rule rendering.

Miscellaneous

  • Tokens in typeaheads now have icons indicating their type.
  • Simplified and improved performance of typeaheads.
  • Typeaheads now show disabled or closed options if no other options match.
  • Conpherence now supports drafts.
  • The Aphlict server now performs health and version checks.
  • The Aphlict server is less of a mess on the inside, and has a more useful status page with test notifications.
  • Improved performance of draft status tracking in Differential.
  • Passphrase now records when users examine secret plaintext.
  • Improved rendering of SVN checkout URIs.

Bug Fixes

  • Fixed a bug where usernames and passwords were not encoded correctly in URIs.
  • Fixed an issue where partial imports of Subversion repositories could become stuck when referencing commits outside of the import path.
  • Fixed various issues with parsing Fixes T123 strings.
  • Fixed a bad call to getRefType() in Diffusion.
  • Fixed an issue where mail could receive duplicate "To:".
  • Fixed an issue where integer custom fields would incorrectly write "updated" transactions even though their value had not changed.
  • Fixed an issue where logged-out users would have a sketchy experience when trying to upload files.
  • Fixed an issue where we wouldn't render a specific unusual error message properly on the registration workflow.

Developer

  • Added phutil_units().
  • Added phutil_json_decode().
  • Added phutil_is_utf8_with_only_bmp_characters().
  • Introduced %B ("Binary String") escape for qsprintf().
  • The %s escape for qsprintf() now accepts only UTF-8 strings in the basic multilingual plane.
  • Celerity now automatically inlines small images using data: URIs.
Last Author
epriestley
Projects
None
Subscribers
None
Tokens
"Like" token, awarded by michiel3."Orange Medal" token, awarded by andeepak."Like" token, awarded by v3knet.