Page MenuHomePhabricator

2014-03 March
Updated 2,598 Days AgoPublic


IMPORTANT: If you use Google Auth, you may need to make a configuration change. You'll receive an error explaining it when trying to log in, and can find more details here:
  • You can now configure custom task statuses in Maniphest.
  • You can now scuttle Maniphest tasks with one click.
  • Differential now uses more modern infrastructure for fields and transactions. This should simplify configuration and improve the application in general. You can find some information on the new field configuration in the Custom Fields Documentation.
  • Phabricator's documentation is now prettier.
  • Most Herald actions now appear in transaction logs, and various Herald rules support new fields.
  • Herald can now send email about pushes, which summarize all the changes in a push (vs email about individual commits).
  • Some of they very small text on the home page now appears in a different color.
  • Transaction logs now have a sophisticated visual end cap when no content appears below them. It adds a touch of class and really makes the experience cohesive.


  • When a command like git fetch fails and its output contains URIs, we now attempt to censor credentials from them more aggressively when reporting errors to the user.
  • You can now terminate login sessions explicitly from Settings.
  • We fixed an issue where /../ could appear in Phriction slugs. This had no actual security impact, but could be confusing and annoying.
  • We have tightened the cookie lifetime policies on various registration cookies, and they should generally not be more durable than necessary now. This is purely preventative.
  • We documented the HackerOne program formally.
  • We fixed an issue where some fields could have a trailing "\n" appended and still pass validation which should have prevented this character from appearing. We awarded a $300 bounty for this issue.
  • We fixed two similar issues related to OAuth token theft, whereby an attacker would craft a client-side OAuth URI and redirect to an application where the anchor could survive form submission and/or redirection through anchor reattachment in some browsers. We awarded $450 and $400 bounties for these issues.
  • We fixed an issue where users could XSS themselves in some browsers by storing a carefully crafted editor link and then clicking an "Open in Editor" button. We now filter URIs more aggressively and whitelist editor protocols. We awarded a $300 bounty for this issue.
  • We fixed an issue where Phame blogs didn't check policy settings correctly, and awarded a $300 bounty.
  • We fixed an issue where Phame blogs did not have handle port numbers correctly. This was just a normal bug (it did not have any actual security impact) so it didn't qualify for an award.
  • We received 44 additional reports in this period which did not qualify for an award:
    • (9 Reports) Reports containing no meaningful information.
    • (7 Reports) Researchers believed they had discovered XSS or other vulnerabilities, but could not develop a proof of concept. Usually the code was unreachable or the researcher misunderstood some component of the application. In all cases, the behaviors appeared correct and expected.
    • (3 Reports) Miscellaneous correspondence about other issues.
    • (3 Reports) We do not currently have SPF configured. See
    • (2 Reports) We do not terminate sessions when users reset passwords. This is by design, largely because Phabricator treats passwords as an external identity source, no a core identity attribute. You can now terminate sessions explicitly.
    • (2 Reports) Uploading specially crafted images can have DOS implications. We've mitigated some of this, but did not award a bounty because the issue is an uninteresting DOS issue and the researcher attacked a live install.
    • (2 Report) You can enumerate emails or usernames if you have access to registration and fill out a CAPTCHA for every guess. We think this reasonably balances usability and security.
    • (2 Reports) Some error messages can disclose the full paths to files. Since this is significantly useful when troubleshooting and resolving errors, and is not useful on its own for an attacker, we do not consider this to be a security issue at this time.
    • (2 Report) We do not force the user to change their password after authenticating with a reset link in email. Among other reasons, this is because not all installs support password authentication.
    • (2 Reports) We do not emit a "Strict-Transport-Security" header. We plan to address this eventually, but the attack it defuses requires high levels of access and we worry it may be hard to guide users through configuration of this header. More discussion in
    • (1 Report) Password reset link is valid for more than 36 hours. This is expected; they are valid for 48 hours.
    • (1 Report) We deliver static content and file data to users in a way that is standard across the industry, but which the researcher was not familiar with.
    • (1 Report) We do not force intricate passwords by default. Our default password policy rejects very common passwords and sets a minimum password length, but could go farther than it does. We're satisfied that our defaults provide a reasonable balance of security and usability at this time. Administrators can configure longer minimums if they prefer.
    • (1 Report) You can create two projects with similar names. We don't believe this represents a vulnerability at this time.
    • (1 Report) Researcher reported a theoretical issue with HTTP headers on the .org site, which had no relevance or security impact in practice.
    • (1 Report) We do not limit password lengths. This could make us vulnerable to DOS through key stretching, but we hash passwords to a constant length before stretching them, so in practice this has no security impact.
    • (1 Report) We do not use robots.txt to prevent indexing of certain unenumerable resources. This is an obscurity measure only and provides no security benefit.
    • (1 Report) CSRF tokens are not tied to login sessions, so logging out does not invalidate tokens. This is intentional; they are tied to identity and rotate on a schedule instead.
    • (1 Report) You can sign up with different email addresses. This is expected behavior.
    • (1 Report) Researcher recommended we replace reCAPTCHA with a checkbox. We declined.


  • Removed differential.markcommitted.
  • Removed the phpast.* methods, which had no real reason to exist.


  • Passphrase can now generate keypairs.
  • Passphrase can now derive public keys from private keys.
  • The "SSH Public Keys" panel can also generate keypairs.

Workboards (Beta)

  • Workboards now have better integration with Maniphest.
  • Workboard columns can be deleted.
  • Improved some dragging behaviors for workboards.


  • arc close-revision now uses more modern repository detection.
  • arc amend will no longer close revisions as a side effect of amending (this behavior was rare and confusing).

Bug Fixes / Minor Changes

  • Fixed an issue where arc tab completion would not work outside of a working copy.
  • Fixed an issue with Mercurial bookmark names in arc patch.
  • Fixed an issue where the chat bot sent handshakes in the wrong order.
  • The chat bot now respects https.cabundle.
  • Fixed an issue where a setup error could occur if certain auth providers were configured in an unusual way.
  • Fixed an issue where author names with parentheses would not be parsed correctly in blame.
  • Fixed an issue where disabled users would show as awaiting approval.
  • Tooltips are now hidden when you press a key.
  • Long lists of subscribed users are now handled more gracefully.
  • Fixed a rendering issue with deleted comments.
  • Fixed an issue with comment links going to the wrong anchor.
  • Phabricator now supports more complex LDAP filtering.
  • Maniphest is now filterable on date updated.
  • More interfaces show profile and project images.
  • Improved standalone rendering of dialogs.
  • Improved design of some Remarkup elements, particularly the "NOTE" blocks.
  • Flags now support very long notes.

Internal Development

  • The OAuthServer application moved forward significantly
  • Harbormaster moved forward somewhat.
  • Releeph moved forward a bit.
  • None of these applications are ready for use by regular users yet.
Last Author
Last Edited
Apr 1 2014, 4:58 PM

Event Timeline