2018 Week 3 (Late January)
Summary of changes from January 16, 2018 to January 19, 2018.
Codebase | Repository | HEAD | Activity | |
---|---|---|---|---|
Phabricator | rP | rP3e983b583d | 0 commits | |
Arcanist | rARC | rARC2e023322 | 0 commits | |
libphutil | rPHU | rPHU2d8cdda | 1 commit | |
Instances (SAAS) | rSAAS | rSAAS301336d | 0 commits | |
Services (SAAS) | rSERVICES | rSERVICES9fe96c7 | 0 commits | |
Core (SAAS) | rCORE | rCORE163f963 | 0 commits | |
- These changes were promoted to stable.
General
This is just promoting master so T13025 (a large bulk editor rewrite) can land without triggering a lot of peril. Week 2, which was "released" a couple days ago, also didn't actually promote to stable, so this is the first stable with the handful of bugfixes from that release note (see 2018 Week 2 (Mid January)).
Security
We fixed an issue where URIs in the form /\evil.com were not recognized as remote URIs and thus evaded tabnabbing protection, even though all browsers treat //evil.com and /\evil.com as equivalent, valid links. This was reported to us via HackerOne, see #306414 (this issue may not have disclosed yet whenever you're reading this document).
This attack just enables tabnabbing, which is most likely to be useful in very targeted phishing attacks, and generally isn't exceptionally dangerous.
Migrations
- No migrations in this period.
Upgrading / Compatibility
- No notes in this period.
The [] icon indicates a change backed by support mana.
- Last Author
- epriestley
- Last Edited
- Jan 19 2018, 8:37 PM