Page MenuHomePhabricator

2018 Week 3 (Late January)
Updated 2,259 Days AgoPublic

Version 1 of 1: You are viewing the current published version of this document.

Summary of changes from January 16, 2018 to January 19, 2018.

CodebaseRepositoryHEADActivity
PhabricatorrPrP3e983b583d0 commits
ArcanistrARCrARC2e0233220 commits
libphutilrPHUrPHU2d8cdda1 commit
Instances (SAAS)rSAASrSAAS301336d0 commits
Services (SAAS)rSERVICESrSERVICES9fe96c70 commits
Core (SAAS)rCORErCORE163f9630 commits
  • These changes were promoted to stable.

General

This is just promoting master so T13025 (a large bulk editor rewrite) can land without triggering a lot of peril. Week 2, which was "released" a couple days ago, also didn't actually promote to stable, so this is the first stable with the handful of bugfixes from that release note (see 2018 Week 2 (Mid January)).

Security

We fixed an issue where URIs in the form /\evil.com were not recognized as remote URIs and thus evaded tabnabbing protection, even though all browsers treat //evil.com and /\evil.com as equivalent, valid links. This was reported to us via HackerOne, see #306414 (this issue may not have disclosed yet whenever you're reading this document).

This attack just enables tabnabbing, which is most likely to be useful in very targeted phishing attacks, and generally isn't exceptionally dangerous.

Migrations

  • No migrations in this period.

Upgrading / Compatibility

  • No notes in this period.

The [] icon indicates a change backed by support mana.

Last Author
epriestley
Last Edited
Jan 19 2018, 8:37 PM

Event Timeline

epriestley edited the content of this document. (Show Details)