mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-27 09:12:41 +01:00
[SECURITY] Prevented PhabricatorSetupIssueView from exposing sensitive config options.
Summary: Currently PhabricatorSetupIssueView will show the current values of configuration options regardless of whether or not they are defined as hidden options. This means that if the MySQL server stops, Phabricator will present the MySQL connection credentials to anyone who can access the Phabricator page. Test Plan: Stop the MySQL server for a Phabricator instance. It should display 'hidden' instead of the MySQL password. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D5596
This commit is contained in:
parent
bbfc8a0937
commit
3b1a1ae7e3
2 changed files with 24 additions and 6 deletions
|
@ -50,7 +50,7 @@ final class PhabricatorConfigResponse extends AphrontHTMLResponse {
|
||||||
$resources[] = phutil_tag(
|
$resources[] = phutil_tag(
|
||||||
'style',
|
'style',
|
||||||
array('type' => 'text/css'),
|
array('type' => 'text/css'),
|
||||||
Filesystem::readFile($webroot.'/rsrc/css/'.$path));
|
phutil_safe_html(Filesystem::readFile($webroot.'/rsrc/css/'.$path)));
|
||||||
}
|
}
|
||||||
return phutil_implode_html("\n", $resources);
|
return phutil_implode_html("\n", $resources);
|
||||||
}
|
}
|
||||||
|
|
|
@ -132,13 +132,25 @@ final class PhabricatorSetupIssueView extends AphrontView {
|
||||||
"The current Phabricator configuration has these %d value(s):",
|
"The current Phabricator configuration has these %d value(s):",
|
||||||
count($configs)));
|
count($configs)));
|
||||||
|
|
||||||
|
$options = PhabricatorApplicationConfigOptions::loadAllOptions();
|
||||||
|
$hidden = array();
|
||||||
|
foreach ($options as $key => $option) {
|
||||||
|
if ($option->getHidden()) {
|
||||||
|
$hidden[$key] = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$table = null;
|
||||||
$dict = array();
|
$dict = array();
|
||||||
foreach ($configs as $key) {
|
foreach ($configs as $key) {
|
||||||
|
if (isset($hidden[$key])) {
|
||||||
|
$dict[$key] = null;
|
||||||
|
} else {
|
||||||
$dict[$key] = PhabricatorEnv::getUnrepairedEnvConfig($key);
|
$dict[$key] = PhabricatorEnv::getUnrepairedEnvConfig($key);
|
||||||
}
|
}
|
||||||
$table = $this->renderValueTable($dict);
|
}
|
||||||
|
|
||||||
$options = PhabricatorApplicationConfigOptions::loadAllOptions();
|
$table = $this->renderValueTable($dict, $hidden);
|
||||||
|
|
||||||
if ($this->getIssue()->getIsFatal()) {
|
if ($this->getIssue()->getIsFatal()) {
|
||||||
$update_info = phutil_tag(
|
$update_info = phutil_tag(
|
||||||
|
@ -299,12 +311,18 @@ final class PhabricatorSetupIssueView extends AphrontView {
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
private function renderValueTable(array $dict) {
|
private function renderValueTable(array $dict, array $hidden = array()) {
|
||||||
$rows = array();
|
$rows = array();
|
||||||
foreach ($dict as $key => $value) {
|
foreach ($dict as $key => $value) {
|
||||||
|
if (isset($hidden[$key])) {
|
||||||
|
$value = phutil_tag('em', array(), 'hidden');
|
||||||
|
} else {
|
||||||
|
$value = $this->renderValueForDisplay($value);
|
||||||
|
}
|
||||||
|
|
||||||
$cols = array(
|
$cols = array(
|
||||||
phutil_tag('th', array(), $key),
|
phutil_tag('th', array(), $key),
|
||||||
phutil_tag('td', array(), $this->renderValueForDisplay($value)),
|
phutil_tag('td', array(), $value),
|
||||||
);
|
);
|
||||||
$rows[] = phutil_tag('tr', array(), $cols);
|
$rows[] = phutil_tag('tr', array(), $cols);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue