2011-01-25 18:59:31 +01:00
|
|
|
<?php
|
|
|
|
|
2011-05-28 01:39:34 +02:00
|
|
|
error_reporting(E_ALL | E_STRICT);
|
|
|
|
ini_set('display_errors', 1);
|
|
|
|
|
2011-01-25 18:59:31 +01:00
|
|
|
$include_path = ini_get('include_path');
|
2012-04-06 08:50:55 +02:00
|
|
|
ini_set(
|
|
|
|
'include_path',
|
|
|
|
$include_path.PATH_SEPARATOR.dirname(__FILE__).'/../../');
|
2012-03-20 03:21:10 +01:00
|
|
|
@include_once 'libphutil/scripts/__init_script__.php';
|
2011-01-25 18:59:31 +01:00
|
|
|
if (!@constant('__LIBPHUTIL__')) {
|
|
|
|
echo "ERROR: Unable to load libphutil. Update your PHP 'include_path' to ".
|
|
|
|
"include the parent directory of libphutil/.\n";
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
phutil_load_library(dirname(__FILE__).'/../src/');
|
Create AphrontWriteGuard, a backup mechanism for CSRF validation
Summary:
Provide a catchall mechanism to find unprotected writes.
- Depends on D758.
- Similar to WriteOnHTTPGet stuff from Facebook's stack.
- Since we have a small number of storage mechanisms and highly structured
read/write pathways, we can explicitly answer the question "is this page
performing a write?".
- Never allow writes without CSRF checks.
- This will probably break some things. That's fine: they're CSRF
vulnerabilities or weird edge cases that we can fix. But don't push to Facebook
for a few days unless you're prepared to deal with this.
- **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF!
<<<**
Test Plan:
- Ran some scripts that perform writes (scripts/search indexers), no issues.
- Performed normal CSRF submits.
- Added writes to an un-CSRF'd page, got an exception.
- Executed conduit methods.
- Did login/logout (this works because the logged-out user validates the
logged-out csrf "token").
- Did OAuth login.
- Did OAuth registration.
Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran,
codeblock
Commenters: pedram
CC: aran, epriestley, pedram
Differential Revision: 777
2011-08-03 20:49:27 +02:00
|
|
|
|
|
|
|
// NOTE: This is dangerous in general, but we know we're in a script context and
|
|
|
|
// are not vulnerable to CSRF.
|
|
|
|
AphrontWriteGuard::allowDangerousUnguardedWrites(true);
|
2011-10-01 17:59:42 +02:00
|
|
|
|
|
|
|
require_once dirname(dirname(__FILE__)).'/conf/__init_conf__.php';
|
|
|
|
|
|
|
|
$env = isset($_SERVER['PHABRICATOR_ENV'])
|
|
|
|
? $_SERVER['PHABRICATOR_ENV']
|
|
|
|
: getenv('PHABRICATOR_ENV');
|
|
|
|
if (!$env) {
|
Make SQL patch management DAG-based and provide namespace support
Summary:
This addresses three issues with the current patch management system:
# Two people developing at the same time often pick the same SQL patch number, and then have to go rename it. The system catches this, but it's silly.
# Second/third-party developers can't use the same system to manage auxiliary storage they may want to add.
# There's no way to build mock databases for unit tests that need to do reads.
To resolve these things, you can now name your patches whatever you want and conflicts are just merge conflicts, which are less of a pain to fix than filename conflicts.
Dependencies are now a DAG, with implicit dependencies created on the prior patch if no dependencies are specified. Developers can add new concrete subclasses of `PhabricatorSQLPatchList` to add storage management, and define the dependency branchpoint of their patches so they apply in the correct order (although, generally, they should not depend on the mainline patches, presumably).
The commands `storage upgrade --namespace test1234` and `storage destroy --namespace test1234` will allow unit tests to build and destroy MySQL storage.
A "quickstart" mode allows an upgrade from scratch in ~1200ms. Destruction takes about 200ms. These seem like fairily reasonable costs to actually use in tests. Building from scratch patch-by-patch takes about 6000ms.
Test Plan:
- Created new databases from scratch with and without quickstart in a separate test namespace. Pointed the webapp at the test namespaces, browsed around, everything looked good.
- Compared quickstart and no-quickstart dump states, they're identical except for mysqldump timestamps and a few similar things.
- Upgraded a legacy database to the new storage format.
- Destroyed / dumped storage.
Reviewers: edward, vrana, btrahan, jungejason
Reviewed By: btrahan
CC: aran, nh
Maniphest Tasks: T140, T345
Differential Revision: https://secure.phabricator.com/D2323
2012-04-30 16:54:00 +02:00
|
|
|
echo phutil_console_wrap(
|
|
|
|
phutil_console_format(
|
|
|
|
"**ERROR**: PHABRICATOR_ENV Not Set\n\n".
|
|
|
|
"Define the __PHABRICATOR_ENV__ environment variable before running ".
|
|
|
|
"this script. You can do it on the command line like this:\n\n".
|
|
|
|
" $ PHABRICATOR_ENV=__custom/myconfig__ %s ...\n\n".
|
|
|
|
"Replace __custom/myconfig__ with the path to your configuration file. ".
|
|
|
|
"For more information, see the 'Configuration Guide' in the ".
|
|
|
|
"Phabricator documentation.\n\n",
|
|
|
|
$argv[0]));
|
2011-10-01 17:59:42 +02:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
$conf = phabricator_read_config_file($env);
|
|
|
|
$conf['phabricator.env'] = $env;
|
|
|
|
|
|
|
|
PhabricatorEnv::setEnvConfig($conf);
|
|
|
|
|
|
|
|
phutil_load_library('arcanist/src');
|
|
|
|
|
|
|
|
foreach (PhabricatorEnv::getEnvConfig('load-libraries') as $library) {
|
|
|
|
phutil_load_library($library);
|
|
|
|
}
|
|
|
|
|
|
|
|
PhutilErrorHandler::initialize();
|
|
|
|
PhabricatorEventEngine::initialize();
|
|
|
|
|
|
|
|
$tz = PhabricatorEnv::getEnvConfig('phabricator.timezone');
|
|
|
|
if ($tz) {
|
|
|
|
date_default_timezone_set($tz);
|
|
|
|
}
|
2012-06-21 21:02:12 +02:00
|
|
|
|
|
|
|
$translation = PhabricatorEnv::newObjectFromConfig('translation.provider');
|
|
|
|
PhutilTranslator::getInstance()
|
|
|
|
->setLanguage($translation->getLanguage())
|
|
|
|
->addTranslations($translation->getTranslations());
|
2012-08-29 22:16:33 +02:00
|
|
|
|
|
|
|
// Append any paths to $PATH if we need to.
|
|
|
|
$paths = PhabricatorEnv::getEnvConfig('environment.append-paths');
|
|
|
|
if (!empty($paths)) {
|
|
|
|
$current_env_path = getenv('PATH');
|
2012-10-02 00:15:07 +02:00
|
|
|
$new_env_paths = implode(PATH_SEPARATOR, $paths);
|
|
|
|
putenv('PATH='.$current_env_path.PATH_SEPARATOR.$new_env_paths);
|
2012-08-29 22:16:33 +02:00
|
|
|
}
|