2014-12 December
Updated 814 Days AgoPublic

General / Major Changes

  • Blockquotes are now rendered with slightly darker text.

Security

  • Resolved an issue where users with insufficient access could delete repository mirrors. This issue was reported to us via HackerOne, and we awarded a $300 bounty to the researcher who discovered it.
  • Resolved an issue where Phame skins had insufficient correctness checking, which could escalate into code execution if several other conditions were also fulfilled. This issue was reported to us via HackerOne, and we awarded a $500 bounty to the researcher who discovered it.
  • We received about 25 additional reports via HackerOne in this period, but none described actionable security issues.
  • The phabricator.show-prototypes option is now locked, to raise the barrier faced by an attacker who compromises an administrative account. This is a general hardening measure.
  • The feed.public and feed.http-hooks options are now locked, to raise the barrier faced by an attacker who compromises an administrative account. This is a general hardening measure.
  • Fixed an issue where ObjectQuery might not perform all of the desired access checks; in practice, this did not seem to impact anything meaningful.

Conduit

  • Conduit now supports standard token-based authentication, like most other similar APIs. This will get better-documented in the future.
  • Tokens can be managed in SettingsConduit API Tokens.

Diffusion

  • Diffusion now (mostly) supports nonlocal repository storage for use in cluster environments.
  • Diffusion repository setup checks are now cluster-aware.
  • diffusion.readmequery has been removed. Use diffusion.filecontentquery instead.
  • Most contexts now support R<id> as an alternative repository identifier, supplementing r<callsign>.

Almanac

  • Almanac services now have service types and default properies.
  • Almanac properties now use most CustomField features.
  • Almanac services can now be locked.
  • Devices show which services they are members of.
  • Expanded the capabilities of almanac.queryservices.
  • Almanac objects can now be destroyed with bin/remove.

Administrative

  • Added a bin/worker utility for task queue management.
  • Added a setup warning for ft_boolean_syntax.
  • Added bin/search init for initializing indexes. This is primarily relevant for ElasticSearch.
  • bin/phd will now attempt to start daemons as the phd.user.
  • Added a setup check to suggest users install Pygments.
  • Improved instructions for handling surplus schemata.
  • The Config application now allows you to review a log of all configuration changes.
  • Made phabricator.base-uri warning more ominous.

Remarkup

  • Code blocks are no longer highlighted as PHP by default.
  • Bracketed numerals (like [1]) are no longer interpreted as checkbox ticks.
  • Improved handling of adjacent %%% literal blocks.
  • Improved handling of whitespace in %%% literal blocks.

Minor

  • Fixed an issue where the XHPAST linter would fail to warn about variable names in functions which made static method calls.
  • Fixed an issue where diffs could become indestructible.
  • Fixed a performance issue with some edge queries.
  • Fixed an issue where clicking the search icon with no query would execute an empty search.
  • Added more search options for Passphrase credentials.
  • Improved some layout and rendering behaviors on narrow displays.
  • Herald no longer executes when applying inverse edge transactions.
  • Fixed some issues with skipping levels in the document hierarchy when creating Phriction documents.
  • Fixed some performance issues with homepage status queries for users with a large number of active or assigned items.
  • Fixed some issues with Maniphest mail not getting the correct mail tags.
  • Fixed an issue with the worker queue on hosts with very long hostnames.
  • Transactions now paginate when there are a large number of them.
  • Various subscriber behaviors now work better in Maniphest.
  • Improved ElasticSearch index construction.
  • Improved feedback when users upload files which are too large.
  • Owners now supports repositories alphabetically.
  • Paste now supports edit policies.

Developer

  • The Futures() construct has been removed. Instead, use new FutureIterator() explicitly.
  • Fixed issues where ExecFuture could fail silently when given bad inputs.
  • Fixed an issue where daemons could fail more quietly than they should.
  • Introduced CIDR utilities to libphutil.
  • Added bin/auth cache-pkcs8 for caching PKCS8-format keys on OSX.
  • Tasks can now be associated with an objectPHID.
  • Fixed a lot of lint issues, improving the consistency of the codebase.
  • Translations now ignore null values, so they can be used as placeholders.
Last Author
epriestley
Projects
None
Subscribers
None