Menu/Navigation Redesign: We plan to ship an updated design for the home page application menu and navigation menus very soon. You can preview the design on https://secure.phabricator.com/ and give us feedback here:
This is primarily a visual update, but the application launcher on the home page has also been simplified. Generally, we're going to try showing a smaller number of commonly used "pinned" applications on the home page and moving the full list to a new "launcher" view in the "Applications" application.
GitHub URI Change: The GitHub repositories for Phabricator, Arcanist and libphutil have moved from github.com/facebook to github.com/phacility. The old URI should still work. This change is purely administrative.
.arclint: Arcanist now looks for .arclint files by default. These files can be used to configure lint more easily than the old mechanism (which required you to write extensions or choose from a set list of relatively inflexible engines), and are nearly as powerful. You can find documentation here:
Not every linter is supported yet and we have some work left to do, but we recommend almost all installs transition toward .arclint where appropriate: it's easier to set up, configure, and maintain. The old mechanisms are still supported, and appropriate if you have an extremely custom configuration.
This change is supported by a new arc linters command (which will help you configure .arclint files) and an updated arc get-config command (which should generally make it easier to understand configuration).
Comment Quoting and Removal: Comments in most applications can now be quoted and removed.
Removing a comment renders it invisible and prevents access to the edit history. Authors and administrators can remove comments. The actual comment text is not destroyed, but can not be restored without access to the host. This is intended to mitigate the damage in two situations: users accidentally making sensitive comments, and users being jerks on mostly-open installs.
Icons: We've switched most of our icons to FontAwesome for performance, flexibility, ease of use, and to clarify the ambiguous licensing of some of the older icons. Most of the iconography is similar, but a few icons have changed because a similar icon is not currently available in FontAwesome.
Workboards: Workboards have received some interface and functional improvements, including the ability to filter which tasks are visible.
Dashboards: We've built most of a new "Dashboards" application. Dashboards allow you to build pages out of panels that show query results from applications (like revisions waiting for your review, recent feed stories, your assigned tasks, etc.), text, objects, or other types of information. Dashboards can be used standalone, or you can choose a dashboard to replace your home page. Dashboards aren't quite ready for Beta yet (even though they seem to work well, they're still very difficult to build and configure), but should be available for early adopters soon.
Diffusion: The main repository view has been simplified and some rendering has been partially reworked. The goal of these changes is to streamline Diffusion as a repository browser.
Git and Mercurial repositories now feature a Sublime-like filename autocompletion search.
These features still need some work, particularly for large repositories and in Mercurial. Performance should improve in the future.
- Many linter configuration options are deprecated by .arclint. If you are using them, you should transition to .arclint (if you don't have an engine) or direct linter configuration (if you do). In the future, these options will no longer be respected. Deprecating these options allows us to move to standard, consistent linter configuration and make core configuration simpler.
- Password reset links are now one-time-use instead of cycling on a timer. We were satisfied with the old system, but one-time tokens are better and recently became easy to implement (as we need the underlying infrastructure for other things).
- We received 28 vulnerability reports via HackerOne in this period. This month, none qualified for awards under the program guidelines:
- (5 Reports) Various server configuration issues not impacting Phabricator (for example, nginx version disclosure on phabricator.org).
- (3 Reports) Password reset links rotate on a timer. We were satisfied with the security of the old system (roughly, reset links were good for 24-48 hours) but it tended to produce false positives where researchers would report that the links were good indefinitely because they didn't wait long enough for them to become invalid. Toward the end of the month we built one-time-token infrastructure (to support TOTP and SMS multi-factor auth) and switched reset links over to it, as discussed in the previous changelog.
- (3 Reports) Researchers reported that there is no login rate limiting. (There is, but it requires several attempts to trigger and CAPTCHAs must be configured.)
- (3 Reports) Researchers reported theoretical vulnerabilities that did not hold up under scrutiny. For example, CSRF which required the attacker to know the victim's session cookie.
- (2 Reports) Missing SPF records. See: https://secure.phabricator.com/T4439
- (2 Reports) CSRF tokens rotate on a timer and are per-account, not per-session. At the moment, we are satisfied with the security of this design.
- (2 Reports) Phabricator allows you to upload arbitrary files, including executables. This is by design.
- (2 Reports) Full path disclosure in error messages. At the present time, we think the benefits (easier debugging and support) outweigh the risks.
- (1 Report) Content injection in error messages. At the present time, we think the benefits of presenting detailed, contextualized error messages dramatically outweigh the risks posted by content injection.
- (1 Report) Usernames are enumerable. This is by design.
- (1 Report) Researcher reported that email verification is not required before an account can be used. This is by design. The behavior can be configured with auth.require-email-verification.
- (1 Report) Passwords may be stored in the browser's memory, and accessible to a local attacker who can inspect process memory. We do not consider this a vulnerability in Phabricator, and there is nothing we could do to mitigate the more general forms of this attack.
- (1 Report) Researcher reported that phabricator.org discloses a credit card number in plain text. The actual text in question was margin-left: 85.36370249136206% in boostrap-responsive.min.css.
- (1 Report) It is possible to view the source code to Phabricator, an open source project.
- Projects can now have alternate hashtags -- for example, "Quality Assurance" can have the short alias #qa.
- You can now set small icons for Projects, to help distinguish between use cases (tags, groups, projects, etc.)
- Complete destruction of objects is now available in bin/remove. This doesn't support all object types yet, but will as time goes on.
- Passphrases can now be locked permanently, which prevents the secrets from being changed or read.
- Pastes can now be edited.
- The "Real Name" field can now be made optional.
- Pholio mocks can now be closed.
- In Maniphest, "Depends On" is now called "Blocked By".
- When a task is closed, the tasks it blocks are now updated.
- Phriction now has basic edit conflict detection.
- Projects can now be "Watched". This subscribes you to all activity on anything in the project.
- .arclint is now formally supported.
- Added an arc linters command.
- Added an arc version command.
- Improved arc get-config command.
- Nonsensical arc set-config --show now lives in arc get-config.
- Fixed an issue where diffusion.looksoon didn't fire correctly. This could cause imported repositories to wait too long to update after arc land.
- Fixes some issues where Arcanist would not read global and runtime configuration inconsistently, in an unusual order, or not at all.
- Fixed a compatibility issue with newer versions of XDebug.
- Fixed a compatibility issue with newer versions of ElasticSearch.
- Improvements to accessibility for assistive technologies.
- Remarkup now supports mailto: links.
- Fixed some parsing issues for context-free diffs with trailing whitespace trimmed.
- We no longer try to run README as a commit hook, even if you've set the executable bit on it.
- Phabricator now tries to be smarter about queueing and prioritizing Ajax requests. Particularly, interactive requests should work much more quickly when made on pages loading content. UI feedback on different kinds of requests (e.g., content vs sync vs interactive request) is also more tailored and useful, and less annoying overall.
- Wordpress is now supported as an authentication provider.
- Audit now has an "Authored Commits" filter by default.
- Fixed an issue where the IRCBot wasn't sure how to proceed if someone had its nickname.
- Fixed some issues where the metadata for unusual pushes would be interpreted incorrectly in hosted Mercurial repositories.
- When starting or stopping timers in Phrequent, the start or stop time is now adjustable.
- Fixed an issue where results without a group would be incorrectly filtered out in some Maniphest "Group By" queries.
- Authentication providers can now be marked as trusted, which will skip verification of email addresses they provide.
- Inline comments on commits are now indexed.
- Fixed some issues with the changeset parse cache not filling correctly.
- Fixed an issue with JIRA integration if the JIRA install is not at the domain root.
- Applications should now select a more appropriate email action for comments which subscribe the author.
- Fixed an explosive runtime issue with changes where the same long line appears thousands of times.
- phd status now shows daemon arguments.
- phd start now frees any held leases.
- auth.email-domains is now case-insensitive.
- Fixed two Passphrase bugs with file-path SSH key credentials.
- Removed "Jump Nav".
- Added XHPAST lint rules for string quotes.
- Added XHPAST lint rules for => and . operators.
- Added XHPAST lint rules for semicolon whitespace.
- Added XHPAST lint rules for elseif.
- Fixed an issue where all variables used in a catch block would be incorrectly detected as declared.