From 2c7be52fc23ef7df1dee42ad94816768d97c147d Mon Sep 17 00:00:00 2001 From: epriestley Date: Mon, 15 Dec 2014 11:00:20 -0800 Subject: [PATCH] Lock `phabricator.show-prototypes` Summary: Two goals: - If an attacker compromises an administrator account (without compromising the host itself), they can currently take advantage of vulnerabilities in prototype applications by enabling the applications, then exploiting the vulnerability. Locking this option requires CLI access to enable prototypes, so installs which do not have prototypes enabled have no exposure to security issues in prototype applications. - Making this very slightly harder to enable is probably a good thing, given the state of the world and support. Test Plan: Verified that web UI shows the value is locked and instructs the user to update via the CLI. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D10993 --- src/applications/config/option/PhabricatorCoreConfigOptions.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/applications/config/option/PhabricatorCoreConfigOptions.php b/src/applications/config/option/PhabricatorCoreConfigOptions.php index 068d1197d5..479bf4a283 100644 --- a/src/applications/config/option/PhabricatorCoreConfigOptions.php +++ b/src/applications/config/option/PhabricatorCoreConfigOptions.php @@ -92,6 +92,7 @@ final class PhabricatorCoreConfigOptions 'create a collision preventing you from logging in.')) ->addExample('dev', pht('Prefix cookie with "dev"')), $this->newOption('phabricator.show-prototypes', 'bool', false) + ->setLocked(true) ->setBoolOptions( array( pht('Enable Prototypes'),