2014-07 July
Updated 971 Days AgoPublic

General

  • There are no major user-facing changes this month.

Upgrading and Compatibility

  • We recently renamed a number of classes for consistency. Generally, classes with names like ApplicationNounKind are now named ApplicationKindNoun. For example, DifferentialPHIDTypeRevision is now DifferentialRevisionPHIDType. The vast majority of classes already followed this pattern. If you have custom code which extends any of the renamed classes, you may need to update it to use the new class names.
  • The actAsUser option to Conduit is now disabled by default. If you rely on it, you must enable it explicitly in your configuration (see security.allow-conduit-act-as-user). This option is a holdover from before policies, and strongly discouraged.
  • We now detect and raise a warning about mbstring.func_overload if it is configured. This option is not supported by Phabricator.
  • There are several migrations against audit comments. These may take a few minutes if you use the audit features heavily.

Security

  • Fixed an XSS hole related to the interaction of multiple rules in Remarkup. This issue was reported to us via HackerOne and we awarded a $1,000 bounty.
  • We received 32 additional reports via HackerOne in this period. We did not award any of these reports:
    • (1 Report) Notable: arc has a security/trust model more like make than like git. Specifically, it may run arbitrary code from the working copy it is executed in (for example, to run unit tests). Because there is no way we can implement some workflows without running working copy code, we generally do not attempt to protect users against hypothetical attacks which might use arc configuration to execute commands. Although this is by design, we don't think this is a security problem, and don't have any real ideas on how to mitigate the risk it presents, we're keeping an eye on it.
    • (4 Reports) Sessions are not invalidated when passwords change. This is by design. Users have explicit control over session invalidation and few installs use password authentication. See https://secure.phabricator.com/T5509
    • (4 Reports) Researchers copy-pasting reports related to password reset link behavior. See https://secure.phabricator.com/T5506
    • (3 Reports) Researchers copy-pasting reports that Rumola (a Chrome extension which pays other people to solve CAPTCHAs for you) allows attackers to bypass CAPTCHAs.
    • (3 Reports) Server configuration which is outside of the scope of the program.
    • (2 Reports) Full path disclosure. We aren't concerned about full path disclosure at this time.
    • (1 Report) An attacker with access to a browser session where a user registered an account might be able to retrieve the user's password by using the "back" button to resubmit the registration while running a proxy server. Since this attacker could also just install a keylogger or examine process memory, we don't think this specific attack is worthwhile to address. We already support multi-factor authentication, which represents a broader defense against this class of attack.
    • (1 Report) We do not show a developer console warning telling users not to copy/paste javascript which attackers might have given them. Because Phabricator users are often technically sophisticated, we do not think this attack is realistic or that adding a warning would be helpful in defusing it.
    • (1 Report) Anonymous users are issued anonymous sessions. This is by design.
    • (1 Report) Users are permitted to collaboratively edit wiki pages. This is by design.
    • (1 Report) Users are permitted to browse repositories and view files. This is by design.
    • (1 Report) Users are permitted to interact with tasks. This is by design.
    • (1 Report) Essentially a support request about email behavior in Conpherence.
    • (1 Report) Users might be tricked into logging in to an attacker's account if given a password reset link for the account. This requires them to confirm a very clearly worded dialog which explicitly shows which account they're logging in as. We do not think this is a significant threat.
    • (1 Report) We ignore the X-Forwarded-Host header and don't do anything bad or dangerous with it.
    • (1 Report) We do not invalidate sessions when we receive a similar-looking session cookie that's slightly longer. This is by design.
    • (1 Report) Researcher misunderstood how the CSRF mechanism in Phabricator works.
    • (1 Report) Request to reopen a report we previously closed (XSS in inaccessible third-party code). We declined to reopen the report.
    • (1 Report) Strict Transport Security headers. See https://secure.phabricator.com/T4340
    • (1 Report) Content Security Policy headers. See https://secure.phabricator.com/T4340
    • (1 Report) SPF Records. See https://secure.phabricator.com/T4439

Arcanist

  • Fixed an issue with arc:upstream not working correctly in some Windows shells.
  • Fixed an issue with arc:empty not working correctly in some Git repositories.
  • Fixed an issue where file content could be listed twice in diffs generated from SVN where a new directory containing files was added.
  • Fixed an issue where history.immutable acquired the wrong default in Mercurial.
  • arc land now tries to land onto the tracked branch or the tracked remote, if one exists and no explicit target is specified.

Legalpad

  • Added support for signature exemptions.
  • Added support for corporate signatories.
  • Added support for a preamble to contextualize documents.

Harbormaster

  • Build plans now execute steps in parallel where possible, instead of sequentially. Dependencies can be set explicitly, or are determined implicitly if steps use artifacts produced by other steps.
  • Build steps can now be named.

Minor

  • Fixed an issue with reverse-nested lists with varying nesting depths.
  • We now try to interpret # as either a markdown header or a numbered list depending on context.
  • Fixed an issue with trying to delete nonexistent refs in hosted repositories.
Last Author
epriestley
Projects
None
Subscribers
None