Page MenuHomePhabricator

2016 Week 27 (Very Early July)
Updated 2,845 Days AgoPublic

Summary of changes from June 24, 2016 to July 1, 2016.

PhabricatorrPrPceb395e35 commits
ArcanistrARCrARC4d4d16f1 commit
libphutilrPHUrPHUdde2f743 commits
Instances (SAAS)rSAASrSAAS82ab2a72 commits
Services (SAAS)rSERVICESrSERVICES9cc774e0 commits
Core (SAAS)rCORErCORE35d74950 commits
  • These changes were promoted to stable.
IMPORTANT: This release fixes a serious security issue (stored XSS in repositories). See T11257 for details.


  • All tokens have been replaced with boars. 🐗
  • Relationship editing actions (like "Edit Parent Tasks") have been retouched in all applications.
  • The "Table of Contents", "Local Commits", "Revision Update History" and "Other Open Revisions Affecting these Files" sections in Differential have been merged into a single tab panel.

A new "Stack" tab has been added to Differential. This tab shows parent and child revisions and their statuses:

Screen Shot 2016-07-01 at 4.30.28 PM.png (292×952 px, 46 KB)

A new "Task Graph" panel has been added to Maniphest, replacing the lists of blocked and blocking tasks:

Screen Shot 2016-07-01 at 4.36.12 PM.png (234×907 px, 48 KB)


IMPORTANT: This release fixes a stored XSS issue in Diffusion. Attackers require write access to a repository to exploit it, but there is no way to mitigate the attack in configuration. All installs are advised to upgrade. See T11257 for details.


  • No migrations in this period.

Upgrading / Compatibility

The indexers for Pholio Mocks and Diffusion Commits have been updated, so you may optionally want to rebuild the search indexes for these objects:

phabricator/ $ ./bin/search index --background --type Mock
phabricator/ $ ./bin/search index --background --type Commit

Rebuilding the commit index may take a substantial amount of time. The primary benefit of rebuilding these indexes is that the new Edit Commits actions in Maniphest and Differential will work better, so this may not be worthwhile.

Going forward, newly created and edited objects will index fully on their own whether you do this or not.


  • Large instance pricing now stops increasing at $1,000/month. Learn More.


  • We now censor credentials with ******** instead of xxxxx.
  • Improved handling of unusual URIs passed to arc install-certificate.
  • Blogs and Badges are now more destructible.
  • Embedding pastes inside inline comments generates less padding.
  • Documented the --- rule.
  • Fixed a bad CSRF token when adding email addressses.
  • We now detect the MIME type of large files properly.
  • Fixed some redirect issues when editing bot API tokens.
  • Phame posts are now more searchable.
Referenced Files
F1708583: Screen Shot 2016-07-01 at 4.36.12 PM.png
Jul 1 2016, 11:40 PM
F1708578: Screen Shot 2016-07-01 at 4.30.28 PM.png
Jul 1 2016, 11:40 PM
"Like" token, awarded by exp10r3r."Like" token, awarded by chad.
Last Author
Last Edited
Jul 2 2016, 12:30 PM