2014-06 June
Updated 1,057 Days AgoPublic

Major Changes

Menu/Navigation Redesign: We've shipped the new lighter menu and navigation design.

Pholio Released: We've moved Pholio (an application for design review) out of beta.

Dashboards Released: We've moved Dashboards (which let you compile panels of information from other applications) out of beta. Users can install a dashboard to replace their home page. Administrators can install a default dashboard over the home page for all users.

Legalpad Released: We've moved Legalpad (a signature/agreement tracking application intended for open source projects) out of beta. Herald can now require contributors sign an agreement (like a CLA) before their revisions can be accepted.

Notifications: The scalability and maturity of the real-time notification server has increased significantly. The CLI for bin/aphlict is now more similar to the CLI for bin/phd.

Security

  • We've removed support for file:// protocols in Diffusion. This protocol had security implications and no longer makes sense given application changes since the time it was implemented, and planned changes in the future. This was reported to us via HackerOne, and we awarded a $600 bounty.
  • We now report less information in Daemon logs. A researcher found a set of circumstances which could cause sensitive information to be reported into these logs. In the future, we will likely move this out of the web UI, since it's difficult to blacklist everything sensitive that might appear in the log. This was reported to us via HackerOne, and we awarded a $300 bounty.
  • We received 28 additional reports via HackerOne which we did not award:
    • (6 Reports) Researchers reported issues with CSRF that did not hold up under scrutiny.
    • (6 Reports) Session rotation is decoupled from password rotation, and CSRF rotation is decoupled from both. We don't think this is a security vulnerability, but plan to change the behavior and introduce optional coupling because we receive so many reports from researchers who expect two or more of these behaviors to be coupled.
    • (5 Reports) Non-security bugs on phabricator.org.
    • (4 Reports) Reports related to path disclosure, which we are not concerned about at this time.
    • (2 Report) Reports related to content spoofing, which we are not concerned about at this time.
    • (2 Reports) Users can enumerate other users, by design.
    • (1 Report) Users can upload arbitrary files, by design.
    • (1 Report) Users can edit wiki pages, by design.
    • (1 Report) A non-sensitive token could theoretically leak to an attacker.

General

  • Added an {icon} rule to Remarkup.
  • Projects can now have a color selected, and colors and icons show up in most interfaces. This helps distinguish between different types of projects.
  • Installs can now require all users configure multi-factor authentication.
  • More objects can be tagged with projects: pastes, Pholio mocks, Ponder questions, Slowvote polls.
  • Hunks are now stored compressed.
  • Differential now does a somewhat better job of handling text encodings. Added options to change highlighting and encoding from the UI.
  • Added Bitbucket as an authentication provider.

Arcanist

  • Added a --head flag for arc diff (supported under Git), to specify the head of the commit range.
  • arc patch now commits with --no-verify to skip commit hooks.
  • Added a --config x=y flag to set runtime configuration.
  • arc lint --everything now lints only working copy files.

Bug Fixes / Minor Issues

  • Fixed an issue with arc branch in Mercurial with no bookmarks.
  • Fixed an issue where Mercurial committer names with no email address would be parsed incorrectly.
  • Fixed a race condition where git diff-files would collide with other Git commands.
  • bin/remove destroy now supports: projects, repositories, Herald rules, Arcanist projects, Pholio mocks.
  • Fixed an issue where split heads in Mercurial would be detected incorrectly.
  • Fixed an issue where push transactions in Mercurial could miss some commits.
  • Fixed an issue where embedded countdowns might not work.
  • bin/phd status now shows daemons across hosts.
  • The Differential repository field now shows up in email.
  • We no longer use {branches} in Mercurial, as it is haunted with an evil demon curse.
  • In Chrome, when the clipboard contains both text and an image, we now paste only the text.
  • Workboard columns can now be hidden in a more reasonable way.
  • Backlog columns can now be renamed.

Developer

  • Added a Python lexer/highlighter.
  • Added PhutilConsoleTable for formatting tables in CLI output.
  • phutil_utf8_console_strlen() now handles combining characters.
  • Filesystem::createDirectory() no longer uses 0777 by default.
  • Filesystem::resolveBinary() now works with local paths on Windows.
  • Added PhutilJSONParser to improve error messages when parsing JSON.
  • Added PhutilUTF8StringTruncator as a successor to phutil_utf8_shorten().
  • Made UTF8 algorithms slower.
  • Linters no longer lint symlinks by default.
  • arc liberate now throws when encountering unsupported language features.
Last Author
epriestley
Projects
None
Subscribers
svemir
Tokens
"Baby Tequila" token, awarded by megapie."Like" token, awarded by svemir.