revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-15 19:32:40 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/config/check/PhabricatorSecuritySetupCheck.php

79 lines
2.6 KiB
PHP
Raw Normal View History

Add a setup issue to detect systems vulnerable to "Shellshock" Summary: Ref T6185. Although it seems that we can't easily defuse or mitigate this, we can at least warn administrators. Test Plan: Ran on my (unpatched, local) system, got a setup warning. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T6185 Differential Revision: https://secure.phabricator.com/D10561
2014-09-25 20:21:11 +02:00
<?php
Rename `PhabricatorSetupCheck` subclasses for consistency Summary: Ref T5655. Test Plan: `arc lint` and `arc unit` Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T5655 Differential Revision: https://secure.phabricator.com/D11130
2015-01-02 05:27:45 +01:00
final class PhabricatorSecuritySetupCheck extends PhabricatorSetupCheck {
Add a setup issue to detect systems vulnerable to "Shellshock" Summary: Ref T6185. Although it seems that we can't easily defuse or mitigate this, we can at least warn administrators. Test Plan: Ran on my (unpatched, local) system, got a setup warning. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T6185 Differential Revision: https://secure.phabricator.com/D10561
2014-09-25 20:21:11 +02:00
Split Setup Issues into Groups Summary: Groups setup issues into Important, PHP, MySQL, and Base for easier parsing on initial installations. Test Plan: Test my internal server and various issues. {F289699} Reviewers: btrahan, epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T7207 Differential Revision: https://secure.phabricator.com/D11726
2015-02-10 21:53:00 +01:00
public function getDefaultGroup() {
return self::GROUP_OTHER;
}
Add a setup issue to detect systems vulnerable to "Shellshock" Summary: Ref T6185. Although it seems that we can't easily defuse or mitigate this, we can at least warn administrators. Test Plan: Ran on my (unpatched, local) system, got a setup warning. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T6185 Differential Revision: https://secure.phabricator.com/D10561
2014-09-25 20:21:11 +02:00
protected function executeChecks() {
// This checks for a version of bash with the "Shellshock" vulnerability.
// For details, see T6185.
$payload = array(
'SHELLSHOCK_PAYLOAD' => '() { :;} ; echo VULNERABLE',
);
list($err, $stdout) = id(new ExecFuture('echo shellshock-test'))
->setEnv($payload, $wipe_process_env = true)
->resolve();
if (!$err && preg_match('/VULNERABLE/', $stdout)) {
$summary = pht(
'This system has an unpatched version of Bash with a severe, widely '.
'disclosed vulnerability.');
$message = pht(
'The version of %s on this system is out of date and contains a '.
'major, widely disclosed vulnerability (the "Shellshock" '.
'vulnerability).'.
"\n\n".
'Upgrade %s to a patched version.'.
"\n\n".
'To learn more about how this issue affects Phabricator, see %s.',
phutil_tag('tt', array(), 'bash'),
phutil_tag('tt', array(), 'bash'),
phutil_tag(
'a',
array(
'href' => 'https://secure.phabricator.com/T6185',
'target' => '_blank',
),
pht('T6185 "Shellshock" Bash Vulnerability')));
$this
->newIssue('security.shellshock')
->setName(pht('Severe Security Vulnerability: Unpatched Bash'))
->setSummary($summary)
->setMessage($message);
}
Restore the "alternate file domain" setup warning and provide CDN instructions Summary: Fixes T2380. Fixes T2382. Users should really configure this, but when we had a warning before a lot of users had trouble with it. - Tout performance benefits. - Document easy setup via CDN. - We have an "Ignore" button now for users who really don't care. Test Plan: - Set up `admin.phacility.com` through AWS CloudFront (need a few changes to handle instances to put it on the cluster in general). - Set up `secure.phabricator.com` through CloudFlare (almost; waiting for DNS). Reviewers: btrahan Reviewed By: btrahan Subscribers: chad, epriestley Maniphest Tasks: T2382, T2380 Differential Revision: https://secure.phabricator.com/D11649
2015-02-03 20:51:41 +01:00
$file_key = 'security.alternate-file-domain';
$file_domain = PhabricatorEnv::getEnvConfig($file_key);
if (!$file_domain) {
$doc_href = PhabricatorEnv::getDocLink('Configuring a File Domain');
$this->newIssue('security.'.$file_key)
->setName(pht('Alternate File Domain Not Configured'))
->setSummary(
pht(
'Increase security (and improve performance) by configuring '.
'a CDN or alternate file domain.'))
->setMessage(
pht(
'Phabricator is currently configured to serve user uploads '.
'directly from the same domain as other content. This is a '.
'security risk.'.
"\n\n".
'Configure a CDN (or alternate file domain) to eliminate this '.
'risk. Using a CDN will also improve performance. See the '.
'guide below for instructions.'))
->addPhabricatorConfig($file_key)
->addLink(
$doc_href,
pht('Configuration Guide: Configuring a File Domain'));
}
Add a setup issue to detect systems vulnerable to "Shellshock" Summary: Ref T6185. Although it seems that we can't easily defuse or mitigate this, we can at least warn administrators. Test Plan: Ran on my (unpatched, local) system, got a setup warning. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T6185 Differential Revision: https://secure.phabricator.com/D10561
2014-09-25 20:21:11 +02:00
}
}
Copy permalink