revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-30 01:10:58 +01:00
Code Issues Releases Wiki Activity

Lock feed.public and feed.http-hooks config options

Browse source 
Summary:
Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove `feed.public` completely (possibly providing API alternatives, if necessary).

Test Plan: Looked at options in web UI and saw them locked.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6817, T5726

Differential Revision: https://secure.phabricator.com/D11046
This commit is contained in:
epriestley 2014-12-29 08:04:47 -08:00
parent 102e431feb
commit 9dd0eca335
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/applications/feed/config/PhabricatorFeedConfigOptions.php
View file

@ -14,6 +14,7 @@ final class PhabricatorFeedConfigOptions
public function getOptions() {
return array(
$this->newOption('feed.public', 'bool', false)
->setLocked(true)
->setBoolOptions(
array(
pht('Allow anyone to view the feed'),
@ -30,6 +31,7 @@ final class PhabricatorFeedConfigOptions
"NOTE: You must also set `policy.allow-public` to true for this ".
"setting to work properly.")),
$this->newOption('feed.http-hooks', 'list<string>', array())
->setLocked(true)
->setSummary(pht('POST notifications of feed events.'))
->setDescription(
pht(