Fix exception with "phabricator.allowed-uris" when trying to set cookies

Summary: The `phabricator.allowed-uris` config setting is not checked properly when trying to set cookies.

Test Plan:
Set an alternate URI, then accessed Phabricator. No longer received a secondary cookie error.

Hit the new exceptions to test them:

{F51131}
{F51132}

Reviewers: btrahan, garoevans

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6528

src/aphront/AphrontRequest.php

@@ -286,21 +286,49 @@ final class AphrontRequest {
     // domain. Also, use the URI protocol to control SSL-only cookies.
     $base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
     if ($base_uri) {
-      $base_uri = new PhutilURI($base_uri);
+      $alternates = PhabricatorEnv::getEnvConfig('phabricator.allowed-uris');
-
+      $allowed_uris = array_merge(
-      $base_domain = $base_uri->getDomain();
+        array($base_uri),
-      $base_protocol = $base_uri->getProtocol();
+        $alternates);
 
       $host = $this->getHost();
 
-      if ($base_domain != $host) {
+      $match = null;
-        throw new Exception(
+      foreach ($allowed_uris as $allowed_uri) {
-          "This install of Phabricator is configured as '{$base_domain}' but ".
+        $uri = new PhutilURI($allowed_uri);
-          "you are accessing it via '{$host}'. Access Phabricator via ".
+        $domain = $uri->getDomain();
-          "the primary configured domain.");
+        if ($host == $domain) {
+          $match = $uri;
+          break;
+        }
       }
 
-      $is_secure = ($base_protocol == 'https');
+      if ($match === null) {
+        if (count($allowed_uris) > 1) {
+          throw new Exception(
+            pht(
+              'This Phabricator install is configured as "%s", but you are '.
+              'accessing it via "%s". Access Phabricator via the primary '.
+              'configured domain, or one of the permitted alternate '.
+              'domains: %s. Phabricator will not set cookies on other domains '.
+              'for security reasons.',
+              $base_uri,
+              $host,
+              implode(', ', $alternates)));
+        } else {
+          throw new Exception(
+            pht(
+              'This Phabricator install is configured as "%s", but you are '.
+              'accessing it via "%s". Acccess Phabricator via the primary '.
+              'configured domain. Phabricator will not set cookies on other '.
+              'domains for security reasons.',
+              $base_uri,
+              $host));
+        }
+      }
+
+      $base_domain = $match->getDomain();
+      $is_secure = ($match->getProtocol() == 'https');
     } else {
       $base_uri = new PhutilURI(PhabricatorEnv::getRequestBaseURI());
       $base_domain = $base_uri->getDomain();

src/applications/config/controller/PhabricatorConfigEditController.php

@@ -116,7 +116,7 @@ final class PhabricatorConfigEditController
     } else if ($option->getLocked()) {
       $msg = pht(
         "This configuration is locked and can not be edited from the web ".
-        "interface.");
+        "interface. Use `./bin/config` in `phabricator/` to edit it.");
 
       $error_view = id(new AphrontErrorView())
         ->setTitle(pht('Configuration Locked'))

src/applications/config/option/PhabricatorCoreConfigOptions.php

@@ -60,7 +60,7 @@ final class PhabricatorCoreConfigOptions
               "across domains."))
         ->addExample(
           '["http://phabricator2.example.com/", '.
-            '"http://phabricator3.example.com/]"',
+            '"http://phabricator3.example.com/"]',
           pht('Valid Setting')),
       $this->newOption('phabricator.timezone', 'string', null)
         ->setSummary(