1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-27 07:50:57 +01:00
Commit graph

21 commits

Author SHA1 Message Date
epriestley
a2515921b6 Detect developer error when constructing forms with absolute URIs
Summary: Ref T1921. Ref T4339. If you `phabricator_form()` with an absolute URI, we silently drop the CSRF tokens. This can be confusing if you meant to specify `"/some/path"` but ended up specifying `"http://this.install.com/some/path"`. In all current cases that I can think of / am aware of, this indicates an error in the code. Make it more obvious what's happening and how to fix it. The error only fires in developer mode.

Test Plan: Hit this case, also rendered normal forms.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4339, T1921

Differential Revision: https://secure.phabricator.com/D8044
2014-01-23 14:03:28 -08:00
Jakub Vrana
00fb8c22e4 Decentralize phtize
Summary: The idea is to have all `phtize` definitions in applications to allow their separation.

Test Plan: Clicked View Options after mangling the translation.

Reviewers: epriestley

Reviewed By: epriestley

CC: btrahan, Korvin, epriestley, aran

Differential Revision: https://secure.phabricator.com/D7345
2013-11-04 11:38:28 -08:00
Jakub Vrana
82e57ab8a7 Add Link button to Remarkup assist
Summary: Believe it or not, I forgot how to create a link in Remarkup.

Test Plan: Clicked on it with selected URL, selected text and without a selection.

Reviewers: chad, epriestley

Reviewed By: epriestley

CC: epriestley, aran, chad

Differential Revision: https://secure.phabricator.com/D7336
2013-10-17 18:57:40 -07:00
Jakub Vrana
07b8c2cfd0 Phtize phabricator-remarkup-assist
Test Plan: Translated 'bold text' as 'txt', clicked on B without selection, saw 'txt'.

CC: epriestley, aran

Differential Revision: https://secure.phabricator.com/D7335
2013-10-16 19:04:47 -07:00
Jakub Vrana
aa576af434 Remove deprecated javelin_render_tag() and phabricator_render_form()
Summary:
Not removing `phutil_render_tag()` for now as it is still used in Diviner.

@edward, please verify Facebook callsites.

Test Plan: Searched for it.

Reviewers: edward, epriestley

Reviewed By: epriestley

CC: aran, Korvin, wez

Differential Revision: https://secure.phabricator.com/D6494
2013-07-18 13:30:25 -07:00
Jakub Vrana
6a0ac6b532 Translate differential-dropdown-menus
Summary: This is a simpler version of D5649.

Test Plan: Switched to ALL CAPS translation and clicked View Options.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T1139

Differential Revision: https://secure.phabricator.com/D5759
2013-04-23 11:09:23 -07:00
epriestley
0f1bdbe147 Merge branch 'master' into phutil_tag
(Sync.)
2013-02-04 06:19:52 -08:00
vrana
356c300086 Port javelin_tag() to master
Summary: I want to make FB code forwards compatible.

Test Plan: None.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D4766
2013-01-31 09:10:33 -08:00
epriestley
74a90999d8 render_tag -> tag: phabricator_form, differential inline comment
Summary: Pretty straightforward.

Test Plan: Viewed inline edit on left / right and new /edit.

Reviewers: vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4724
2013-01-30 11:24:30 -08:00
epriestley
3093d1663d Add javelin_tag(), convert easy callsites
Summary:
  - Implements `javelin_tag()`, which is `javelin_render_tag()` on top of `phutil_tag()` instead of `phutil_render_tag()`.
  - Manually converts all or almost all of the trivial callsites.

Test Plan:
  - Site does not seem any more broken than before.

Reviewers: vrana

Reviewed By: vrana

CC: aran

Differential Revision: https://secure.phabricator.com/D4639
2013-01-25 12:57:17 -08:00
vrana
f8dbfdd59d Convert phutil_render_tag(X, Y) to phutil_tag
Summary:
Created with spatch:

  lang=diff
  - phutil_render_tag
  + phutil_tag
    (X, Y)

(and null manually)

Test Plan: Loaded homepage

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D4500
2013-01-24 19:08:54 -08:00
vrana
ef85f49adc Delete license headers from files
Summary:
This commit doesn't change license of any file. It just makes the license implicit (inherited from LICENSE file in the root directory).

We are removing the headers for these reasons:

- It wastes space in editors, less code is visible in editor upon opening a file.
- It brings noise to diff of the first change of any file every year.
- It confuses Git file copy detection when creating small files.
- We don't have an explicit license header in other files (JS, CSS, images, documentation).
- Using license header in every file is not obligatory: http://www.apache.org/dev/apply-license.html#new.

This change is approved by Alma Chao (Lead Open Source and IP Counsel at Facebook).

Test Plan: Verified that the license survived only in LICENSE file and that it didn't modify externals.

Reviewers: epriestley, davidrecordon

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2035

Differential Revision: https://secure.phabricator.com/D3886
2012-11-05 11:16:51 -08:00
Bob Trahan
3ffc764141 Introduce lightbox view for images
Summary:
images attached to maniphest tasks and mentioned in remarkup anywhere now invoke a lightbox control that lets the user page through all the images.

lightbox includes a download button, next / prev buttons, and if we're not at the tippy toppy of hte page an "X" or close button.

we also respond to left, right, and esc for navigating.

next time we should get non-images working in here...!

Test Plan:
played with maniphest - looks good
made comments with images. looks good.
made sure multiple image comments worked.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin, chad

Maniphest Tasks: T1896

Differential Revision: https://secure.phabricator.com/D3705
2012-10-22 19:06:56 -07:00
epriestley
1105cfc3a8 Don't set mustcapture for falsey values
Summary: See discussion in D3722. Good catch -- I'd definitely say this is a bug.

Test Plan: Rendered two <div />s, one with mustcapture set to `true` and one to `false`. The first got `data-mustcapture`; the second did not.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D3723
2012-10-17 08:35:57 -07:00
vrana
6cc196a2e5 Move files in Phabricator one level up
Summary:
- `kill_init.php` said "Moving 1000 files" - I hope that this is not some limit in `FileFinder`.
- [src/infrastructure/celerity] `git mv utils.php map.php; git mv api/utils.php api.php`
- Comment `phutil_libraries` in `.arcconfig` and run `arc liberate`.

NOTE: `arc diff` timed out so I'm pushing it without review.

Test Plan:
/D1234
Browsed around, especially in `applications/repository/worker/commitchangeparser` and `applications/` in general.

Auditors: epriestley

Maniphest Tasks: T1103
2012-06-01 12:32:44 -07:00
epriestley
09c8af4de0 Upgrade phabricator to libphutil v2
Summary: Mechanical changes from D2588. No "Class.php" moves yet.

Test Plan: See D2588.

Reviewers: vrana, btrahan, jungejason

Reviewed By: vrana

CC: aran

Maniphest Tasks: T1103

Differential Revision: https://secure.phabricator.com/D2591
2012-05-30 14:26:29 -07:00
vrana
6bd8542abb Avoid sending CSRF token in GET and external forms
Summary:
Sending CSRF token in GET forms is dangerous because if there are external links
on the target page then the token could leak through Referer header.
The token is not required for anything because GET forms are used only to
display data, not to perform operations.
Sending CSRF tokens to external URLs leaks the token immediately.

Please note that <form action> defaults to GET.

PhabricatorUserOAuthSettingsPanelController suffered from this problem for both
reasons.

Test Plan: Save my settings (POST form).

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1558
2012-02-03 10:58:51 -08:00
epriestley
3aa17c7443 Prevent CSRF uploads via /file/dropupload/
Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.

In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.

Test Plan:
  - Drop-uploaded files to Files, Maniphest, Phriction and Differential.
  - Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form
submissions don't work.

Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758
2011-08-16 13:19:10 -07:00
epriestley
147d2e2e3d Rought cut of search.
Summary: Botched this pretty badly in git so we'll see how much I broke. :/

Test Plan:

Reviewers:

CC:
2011-02-14 15:34:20 -08:00
epriestley
9dac0ed9f1 Bring in JX.Workflow and the inline commenting behavior, plus sync Javelin. 2011-02-01 15:52:04 -08:00
epriestley
03fec6e911 PhabricatorEnv
'infratructure' -> 'infrastructure' (rofl)
Recaptcha
Email Login / Forgot Password
Password Reset
2011-01-31 11:55:26 -08:00