Page MenuHomePhabricator

2018 Week 51 (End of Year)
Updated 1,942 Days AgoPublic

Summary of changes from December 14, 2018 to December 31, 2018.

PhabricatorrPrP106e90dcf44 commits
ArcanistrARCrARC25c238191 commit
libphutilrPHUrPHUcad19850 commits
Instances (SAAS)rSAASrSAAS46244621 commit
Services (SAAS)rSERVICESrSERVICES019a12a0 commits
Core (SAAS)rCORErCORE5ec50421 commit
  • These changes were promoted to stable.


[] Updates to MFA: MFA now binds challenges to sessions and workflows. If you are challenged to provide MFA to (for example) sign a Legalpad document, the response to that challenge can not be used by a different session or on a different workflow (for example, it can not be used to upgrade a partial session to a full session).

For TOTP, this generally defuses attacks which target the window of vulnerability between you unlocking your phone and the workflow completing, while the code is displayed but your response has not yet been submitted to or confirmed by the server.

Attacks on this window generally have the shape of an adversary using a spyglass to observe your phone screen from afar and typing the code in really fast, before you can type it yourself.

The attacker may increase the size of this window by disrupting your network connection, spilling coffee on you as you type the prompt in, etc. This class of attacks is generally not terribly threatening and usually requires the attacker either be physically present or have substantial control over the client machine and the network.

TOTP responses may still be reused, but only by the same session on the same workflow and only until the workflow the challenge is guarding is completed. In essentially all cases, this serves to allow you to complete a multi-part MFA challenge (where you have two or more MFA factors configured) in a step-by-step way if you make an error, rather than requiring you to respond to a new challenge for each factor. This behavior intentionally violates RFC 6238. See T9770.

A new "Sign With MFA" comment action is available. This action will prompt you to provide MFA credentials and mark your actions as authenticated.

Maniphest may now be configured (in maniphest.statuses) to require MFA for all interactions with tasks in certain statuses.


[] MFA is generally undergoing changes in this release and upcoming releases, see above.


20181213.auth.06.challenge.sql14 ms
20181214.auth.01.workflowkey.sql21 ms
20181218.pholio.01.imageauthor.sql50 ms
20181217.auth.01.digest.sql29 ms
20181217.auth.02.ttl.sql19 ms
20181217.auth.03.completed.sql20 ms
20181219.pholio.01.imagephid.sql58 ms
20181219.pholio.02.imagemigrate.php472 ms
20181219.pholio.03.imageid.sql46 ms
20181220.pholio.01.mailkey.php240 ms
20181220.pholio.02.dropmailkey.sql44 ms

"Duration" is the duration for this install, and may not be representative.

Upgrading / Compatibility

This release includes some API changes which may affect third-party code:

[] The TYPE_AUTH_WILLLOGIN event has been removed. There is no replacement.

[] The willApplyTransactions() method on TransactionEditor has been removed. There is no direct replacement because this method did not have a clearly defined role.

[] The willRenderTimeline() method has been removed from ApplicationTransactionInterface. Almost no upstream objects implemented this method. The new PhabricatorTimelineInterface replaces it.

[] The getApplicationTransactionObject() method has been removed from ApplicationTransactionInterface. No upstream objects implemented this method and a large body of application transaction code did not call it correctly anyway.

[] MFA factor implementations have changed and will continue to change in upcoming releases. Although we aren't aware of any third-party MFA factor implementations, you'll need to update them if you have any.

[] Some Mock and Image behavior in Pholio has changed internally. Third party code which interacts direclty with Pholio may be affected.


  • When more than 100 projects match a typeahead query, active projects now appear first.
  • Webhooks now report errors in a more human-readable way.
  • Webhooks now include a reminder if your instance is in silent mode.
  • The Phrequent curtain UI element now shows time spent with higher precision.
  • [] Partial sessions now last for 30 minutes and are not extended by ongoing activity.
  • [] bin/auth recover can now recover full sessions directly, bypassing MFA.


  • The upstream linters now detect continue; inside switch (...).
  • Added a @{config:...} remarkup rule.

The [] icon indicates a change backed by support mana.

Last Author
Last Edited
Dec 28 2018, 8:44 PM

Event Timeline

epriestley edited the content of this document. (Show Details)