1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 09:12:41 +01:00

[SECURITY] Prevented PhabricatorSetupIssueView from exposing sensitive config options.

Summary:
Currently PhabricatorSetupIssueView will show the current values of
configuration options regardless of whether or not they are defined
as hidden options.  This means that if the MySQL server stops, Phabricator
will present the MySQL connection credentials to anyone who can access
the Phabricator page.

Test Plan:
Stop the MySQL server for a Phabricator instance.  It should display 'hidden'
instead of the MySQL password.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5596
This commit is contained in:
James Rhodes 2013-04-06 00:27:33 -07:00 committed by epriestley
parent bbfc8a0937
commit 3b1a1ae7e3
2 changed files with 24 additions and 6 deletions

View file

@ -50,7 +50,7 @@ final class PhabricatorConfigResponse extends AphrontHTMLResponse {
$resources[] = phutil_tag( $resources[] = phutil_tag(
'style', 'style',
array('type' => 'text/css'), array('type' => 'text/css'),
Filesystem::readFile($webroot.'/rsrc/css/'.$path)); phutil_safe_html(Filesystem::readFile($webroot.'/rsrc/css/'.$path)));
} }
return phutil_implode_html("\n", $resources); return phutil_implode_html("\n", $resources);
} }

View file

@ -132,13 +132,25 @@ final class PhabricatorSetupIssueView extends AphrontView {
"The current Phabricator configuration has these %d value(s):", "The current Phabricator configuration has these %d value(s):",
count($configs))); count($configs)));
$options = PhabricatorApplicationConfigOptions::loadAllOptions();
$hidden = array();
foreach ($options as $key => $option) {
if ($option->getHidden()) {
$hidden[$key] = true;
}
}
$table = null;
$dict = array(); $dict = array();
foreach ($configs as $key) { foreach ($configs as $key) {
if (isset($hidden[$key])) {
$dict[$key] = null;
} else {
$dict[$key] = PhabricatorEnv::getUnrepairedEnvConfig($key); $dict[$key] = PhabricatorEnv::getUnrepairedEnvConfig($key);
} }
$table = $this->renderValueTable($dict); }
$options = PhabricatorApplicationConfigOptions::loadAllOptions(); $table = $this->renderValueTable($dict, $hidden);
if ($this->getIssue()->getIsFatal()) { if ($this->getIssue()->getIsFatal()) {
$update_info = phutil_tag( $update_info = phutil_tag(
@ -299,12 +311,18 @@ final class PhabricatorSetupIssueView extends AphrontView {
)); ));
} }
private function renderValueTable(array $dict) { private function renderValueTable(array $dict, array $hidden = array()) {
$rows = array(); $rows = array();
foreach ($dict as $key => $value) { foreach ($dict as $key => $value) {
if (isset($hidden[$key])) {
$value = phutil_tag('em', array(), 'hidden');
} else {
$value = $this->renderValueForDisplay($value);
}
$cols = array( $cols = array(
phutil_tag('th', array(), $key), phutil_tag('th', array(), $key),
phutil_tag('td', array(), $this->renderValueForDisplay($value)), phutil_tag('td', array(), $value),
); );
$rows[] = phutil_tag('tr', array(), $cols); $rows[] = phutil_tag('tr', array(), $cols);
} }