mirror of
https://we.phorge.it/source/phorge.git
synced 2025-04-04 00:18:21 +02:00
Lock uri.allowed-protocols
in Config
Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked. Test Plan: Viewed value on web UI, verified it was locked. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6975
This commit is contained in:
parent
de10d91963
commit
c72f3b4bf1
1 changed files with 2 additions and 1 deletions
|
@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
|
||||||
"whitelist is primarily to prevent security issues like ".
|
"whitelist is primarily to prevent security issues like ".
|
||||||
"javascript:// URIs."))
|
"javascript:// URIs."))
|
||||||
->addExample(
|
->addExample(
|
||||||
'{"http": true, "https": true"}', pht('Valid Setting')),
|
'{"http": true, "https": true"}', pht('Valid Setting'))
|
||||||
|
->setLocked(true),
|
||||||
$this->newOption(
|
$this->newOption(
|
||||||
'celerity.resource-hash',
|
'celerity.resource-hash',
|
||||||
'string',
|
'string',
|
||||||
|
|
Loading…
Add table
Reference in a new issue