1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-14 19:02:41 +01:00
Commit graph

197 commits

Author SHA1 Message Date
vrana
23988ca482 Support Windows
Test Plan:
Enable setup.
Disable setup.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran

Differential Revision: https://secure.phabricator.com/D2118
2012-04-06 09:34:06 -07:00
vrana
f698e860cf Remove duplicate remarkup rule
Summary: D2110

Test Plan:
  [[wiki]]
  [[http://example.com]]
  [[http://example.com | example.com]]

Reviewers: epriestley

Reviewed By: epriestley

CC: aran

Differential Revision: https://secure.phabricator.com/D2111
2012-04-05 16:31:17 -07:00
epriestley
05b4c90bfd Allow Commits to be attached to Tasks using edges
Summary: Use Edges to attach Commits and Tasks. Note, no "edit attached commits" interface from tasks yet since the search backend needs a little work to list commits in a sensible way.

Test Plan: Attached commits to tasks. Looked at commits, looked at tasks.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T904

Differential Revision: https://secure.phabricator.com/D2105
2012-04-04 17:34:25 -07:00
epriestley
877cb136e8 Add an assocations-like "Edges" framework
Summary:
We have a lot of cases where we store object relationships, but it's all kind of messy and custom. Some particular problems:

  - We go to great lengths to enforce order stability in Differential revisions, but the implementation is complex and inelegant.
  - Some relationships are stored on-object, so we can't pull the inverses easily. For example, Maniphest shows child tasks but not parent tasks.
  - I want to add more of these and don't want to continue building custom stuff.
  - UIs like the "attach stuff to other stuff" UI need custom branches for each object type.
  - Stuff like "allow commits to close tasks" is notrivial because of nonstandard metadata storage.

Provide an association-like "edge" framework to fix these problems. This is nearly identical to associations, with a few differences:

  - I put edge metadata in a separate table and don't load it by default, to keep edge rows small and allow large metadata if necessary. The on-edge metadata seemed to get abused a lot at Facebook.
  - I put a 'seq' column on the edges to ensure they have an explicit, stable ordering within a source and type.

This isn't actually used anywhere yet, but my first target is attaching commits to tasks for T904.

Test Plan: Made a mock page that used Editor and Query. Verified adding and removing edges, overwriting edges, writing and loading edge data, sequence number generation.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, 20after4

Differential Revision: https://secure.phabricator.com/D2088
2012-04-04 15:30:21 -07:00
vrana
bc61f36beb Replace elseif by else if
Summary:
Mostly written by me.
Omit external libraries.

Test Plan: http://phabricator.com/docs/phabricator/article/PHP_Coding_Standards.html

Reviewers: epriestley

Reviewed By: epriestley

CC: aran

Differential Revision: https://secure.phabricator.com/D2104
2012-04-04 15:24:47 -07:00
vrana
a309d5ba2f Replace leading double underscore in function names by single underscore
Summary:
> PHP reserves all symbols starting with __ as magical. http://php.net/userlandnaming.rules

I didn't touch third-party S3 library.

Test Plan: /

Reviewers: epriestley

Reviewed By: epriestley

CC: aran

Differential Revision: https://secure.phabricator.com/D2077
2012-04-03 18:55:52 -07:00
vrana
67e10e60f2 Return $this from setters
Summary:
Most setters returns `$this` but some don't.
I guess it's not by purpose.

Test Plan:
  arc lint

Reviewers: epriestley

Reviewed By: epriestley

CC: aran

Differential Revision: https://secure.phabricator.com/D2085
2012-04-02 18:48:37 -07:00
epriestley
84c40a732e Minor, don't minify raphael.js since it doesn't survive it
Auditors: btrahan
2012-04-02 12:09:04 -07:00
vrana
3c19e5b133 Avoid warning in checking config classes in setup
Summary:
Current code emits warning for classes with constructors with parameters.
It also creates the objects which is bad if constructors do some actual work.

NOTE: http://svn.php.net/viewvc/phpdoc/en/trunk/reference/reflection/reflectionclass/issubclassof.xml?r1=324630&r2=324629

Test Plan:
Run setup with:

- correct classes
- not-existing class
- class with private constructor
- class not implementing the required class

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D2056
2012-03-30 10:16:00 -07:00
epriestley
36ab0c3313 Fix local-clobbering iterators in phabricator/
Summary:
These are the issues identified by the linter in D2052. I don't think any cause bugs, but they are all reasonable errors to raise and the linter correctly
detected that they are suspicious.

Test Plan: Mostly inspection.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D2053
2012-03-29 13:24:06 -07:00
epriestley
eaa2ff71d3 Minify static resources
Summary: For production servers, minify CSS and JS by stripping comments, whitespace, etc.

Test Plan: Looked at CSS/JS, it was much smaller.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T264

Differential Revision: https://secure.phabricator.com/D2034
2012-03-28 10:13:53 -07:00
Paul Tarjan
fa2467e8fe Extract out regex from PhabricatorRemarkupRuleMention
Summary:
I'd like to use this regex elsewhere and copying and pasting is
bad.

Test Plan: none

Reviewers: casey, epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D2038
2012-03-27 22:34:50 -07:00
epriestley
914f044b62 More Drydock Stuff
Summary:
  - Still really really rough.
  - Adds a full synchronous mode for debugging.
  - Adds some logging.
  - It can now allocate EC2 machines and put webroots on them in a hacky, terrible way.
  - Adds a base query class.

Test Plan: oh hey look a test page? http://ec2-50-18-65-151.us-west-1.compute.amazonaws.com:2011/

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T1049

Differential Revision: https://secure.phabricator.com/D2026
2012-03-26 20:54:26 -07:00
JeffMo
108f51d9b4 Fix PhabricatorJavelinLinter regex issue caused by D2023
Summary: D2023 adds a new '*' token to javelinsymbols (indicating that a behavior is 'installed'). This fixes a sanity-check regex in PhabricatorJavelinLinter that validates the output of javelinsymbols so that it is aware of this new token type.

Test Plan:
Patched javelinsymbols.cpp from D2023 to externals/javelin/support/javelinsymbols, build the new javelinsymbols binary, then ran

  arc lint --lintall webroot/rsrc/js/application/core/behavior-drag-and-drop-textarea.js

(before this diff, that throws an error -- after it works with no lint)

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D2025
2012-03-26 16:10:05 -07:00
epriestley
f8932b83da Minor, fix an issue with synthetic diff construction for files with several blank lines at the end. 2012-03-25 20:03:07 -07:00
epriestley
2ee5086ce9 With the {F...} syntax, render non-images as links
Summary:
We render a huge picture of a PDF for PDFs right now, etc. This is hella dumb.

Also allow users to force this rendering style, and change the link name.

Test Plan: Uploaded image and non-image files, used layout=link and name=....

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T1040

Differential Revision: https://secure.phabricator.com/D2006
2012-03-23 15:32:07 -07:00
vrana
330d62984b Check required classes in setup
Test Plan:
Run setup with 'differential.attach-task-class' set to:

- ''
- 'FacebookTasksAttacher'
- 'X'

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1999
2012-03-22 15:58:27 -07:00
epriestley
315870d56a Fix various newline problems in the difference engines
Summary: I'll mark this one up inline since it's all separate bugs.

Test Plan:
  - Created a diff with eight changes: (newline absent -> newline present, newline present -> newline absent, newline present -> newline present, newline absent -> newline absent) x (short file with change near end, long file with change near middle).
  - Viewed diff in Ignore All, Ignore Most, Ignore Trailing and Show All whitespace modes.
  - All 32 results seemed sensible.
  - Really wish this stuff was better factored and testable. Need to fix it. :(

Reviewers: vrana, btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T1030

Differential Revision: https://secure.phabricator.com/D1992
2012-03-22 14:13:48 -07:00
vrana
9622dcd98a Check instance of differential.attach-task-class
Test Plan: Attach Facebook task to revision

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1991
2012-03-22 11:10:49 -07:00
vrana
4fba549a99 Use PhabricatorEnv::newObjectFromConfig() wherever possible
Test Plan:
/mail/send/
scripts/aphront/aphrontpath.php /

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1983
2012-03-21 14:57:52 -07:00
vrana
07b60b2016 Require valid class for certain config settings
Summary:
It is now possible to set config setting requiring class of certain implementation to something completely else.
The consequence is that your Phabricator may stop working after update because you didn't implement some new method.

This diff validates the class upon usage.
It throws exception which is better than fatal thrown currently after calling undefined method.

Better solution would be to validate classes when setting the config but it would be too expensive - respective class definitions would have to be loaded and checked by reflection.

I was also thinking about some check script but nobody would run it after changing config.

The same behavior should be implemented for these settings:

- metamta.mail-adapter
- metamta.maniphest.reply-handler
- metamta.differential.reply-handler
- metamta.diffusion.reply-handler
- storage.engine-selector
- search.engine-selector
- differential.field-selector
- maniphest.custom-task-extensions-class
- aphront.default-application-configuration-class
- controller.oauth-registration

Test Plan:
Send comment, verify that it pass.
Change `metamta.differential.reply-handler` to incompatible class, verify that sending comment shows nice red exception.
Set `metamta.differential.reply-handler` to empty string, verify that it throws.

Reviewers: epriestley, btrahan

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1919
2012-03-21 14:14:01 -07:00
epriestley
6a13b3ea7e Separate the inline comment summary element into a separate view
Summary:
  - Affects the "Inline Comments" summary table which appears in comments that have attached inlines in the discussion threads in Differential.
  - Prepares for inclusion in Diffusion.
  - No application changes (minor CSS), just factors code better.
  - Simplify/separate CSS.

Test Plan: Looked at on-diff and off-diff comment summaries in Differential, display looked correct.

Reviewers: davidreuss, nh, btrahan

Reviewed By: davidreuss

CC: aran, epriestley

Maniphest Tasks: T904

Differential Revision: https://secure.phabricator.com/D1928
2012-03-19 19:45:16 -07:00
vrana
4fa9798c4a Allow selecting text when creating inline comment
Summary:
It is currently not possible to select source code covered by reticle when creating comment.
This diff hides reticle on mouseout from reply area.

Test Plan:
Hover inline comment, verify that reticle is displayed.
Reply, verify that reticle is displayed when mouseover reply, hidden otherwise.
Repeat for create.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1851
2012-03-15 11:02:25 -07:00
epriestley
900190b2fe Add inline comments to Diffusion/Audit
Summary:
  - Add inline comments to Audits, like Differential.
  - Creates new storage for the comments in the Audits database.
  - Creates a new PhabricatorAuditInlineComment class, similar to DifferentialInlineComment.
  - Defines an Interface which Differential and Audit comments conform to.
  - Makes consumers of DifferentialInlineComments consume objects which implement that interface instead.
  - Adds save

NOTE: Some features are still missing! Wanted to cut this off before it got crazy:

  - Inline comments aren't shown in the main comment list.
  - Inline comments aren't shown in the emails.
  - Inline comments aren't previewed.

I'll followup with those but this was getting pretty big.

@vrana, does the SQL change look correct?

Test Plan:
  - Created, edited, deleted, replied to, reloaded and saved inline comments in Diffusion, on the left and right side of diffs.
  - Created, edited, deleted, replied to, reloaded and saved inline comments in Differentila, on the left and right side of primary and diff-versus-diff diffs.

Reviewers: btrahan, vrana

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T904

Differential Revision: https://secure.phabricator.com/D1898
2012-03-14 12:56:01 -07:00
Craig Fratrik
4953c58c90 minor changes to setup flow
Summary:
1. The setup flow complains if you haven't updated your schema, so that section
should be moved above the setup flow.

2. The setup flow tells you to lower your timeout, but it doesn't tell you how
low will make it stop complaining.

Test Plan:
Didn't test the setup.
Regenerated the docs and saw the change.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1888
2012-03-13 19:03:29 -07:00
epriestley
d0af617818 Add "final" to (almost) everything else
Summary: Last of the big final patches. Left a few debatable classes (12 out of about 400) that I'll deal with individually eventually.

Test Plan: Ran testEverythingImplemented.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T795

Differential Revision: https://secure.phabricator.com/D1881
2012-03-13 16:21:04 -07:00
epriestley
f158b32a54 Minor, formalize changeset response class. 2012-03-12 21:39:05 -07:00
epriestley
b2890eeb0e Add "final" to all Phabricator "Controller" classes
Summary:
These are all unambiguously unextensible. Issues I hit:

  - Maniphest Change/Diff controllers, just consolidated them.
  - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects.
  - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962.

Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T795

Differential Revision: https://secure.phabricator.com/D1843
2012-03-09 15:46:25 -08:00
epriestley
6712dbb709 Bring macros to IRC
Summary:
Adds a macro handler that spams your channel with macros. Config is:

  - macro.size: scale macros to this size before rasterizing
  - macro.sleep: sleep this many seconds between lines (evade flood protection)

Test Plan: derpderp

Reviewers: kdeggelman, btrahan

Reviewed By: btrahan

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1838
2012-03-09 12:40:03 -08:00
Korvin Szanto
d7fcbd7d39 Adding explicitly set ircbot notifications
Summary:
This adds a new configuration setting:

  "notification.actions" : [
    "commit",
    "abandon",
    "actions"
  ]

if not set, displays all actions, if is set, display only what is set to display

Test Plan: add the notification.actions settings and set accordingly

Reviewers: epriestley, zeeg

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1820
2012-03-07 18:51:48 -08:00
epriestley
84d2f5fcad Increase phd sanity check timeout
Summary:
A user reported that their install (on an unusual piece of hardware) was hitting this timeout. We don't need to be quite so stingy; just use the default 30s timeout.

Also remove some kind of sentence fragment since I no longer remember what it meant and it doesn't make sense.

Test Plan: This change resolved the issue.

Reviewers: btrahan, jungejason

Reviewed By: jungejason

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1805
2012-03-07 08:52:00 -08:00
epriestley
37451ffb25 Automatically select the right Conduit URI path for the irc bot
Summary: The docs say "http://www.domain.com/" but if you don't put "/api/" it fails. GOTCHA!

Test Plan: Removed "/api/", launched bot, it worked.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T935

Differential Revision: https://secure.phabricator.com/D1763
2012-03-05 09:57:21 -08:00
Koolvin
84b518efeb Added irc What's New support for audit functions
Summary: Added support for audit comment, concern, accept

Test Plan: Comment / Concern / Accept audit, and say "What's new?" in IRC

Reviewers: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1730
2012-02-29 12:13:56 -08:00
Evan Priestley
8b447e21d0 Merge pull request #95 from Koolvin/arcpatch-D1717-1
Private Message User IRC Command
2012-02-29 09:09:37 -08:00
Koolvin
7863956746 Private Message User IRC Command
Summary:
Added phabot irc command to directly message a user rather than outputting in a
channel.

Syntax:

ex:

````Korvin, D1717```

results in phabot private messaging me the info on D1717

Test Plan: ##nick##, [DTPVF]n

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1717
2012-02-29 08:28:17 -08:00
vrana
9b318e4044 Respect username letter case in Remarkup
Test Plan:
Type ##@makinde## to comment, verify that it is converted to ##@Makinde##.
Verify that ##@NonExistent## stays ##@NonExistent##.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1725
2012-02-28 15:20:29 -08:00
Korvin Szanto
31cbb7fbe2 What's New flood protection
Summary:
Added what's new flood protection and fixed array_push issues.
Also added rhetoric for "Commit"

Test Plan: say "What's new?" twice within one minute

Reviewers: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1684
2012-02-23 19:18:22 -08:00
Korvin Szanto
5e39522ac4 IRC Bot what's new directive
Summary:
Added "What's new?" to the ircbot

====Matches

```What is new?
What's new?
Whats new```

Test Plan:
<`Korvin> what is new?
<korvinbot-local> Derpen created D1: Herped the derp - http://phabricator.net/D1

It shows five.

Reviewers: epriestley

Reviewed By: epriestley

CC: epriestley, aran

Differential Revision: https://secure.phabricator.com/D1666
2012-02-23 18:01:25 -08:00
epriestley
228c3781a2 Add gRaphael charting library
Summary:
I typed up like 30 pages here and then got my soul crushed by T895, but here's
the summary:

I looked at several charting libraries. There aren't very many that seem to be
any good and have an open-source license.

I also want the charts to be scriptable in JS so we can add good interactivity
where appropriate.

Raphael is an SVG drawing library which seems very solid. gRaphael is a charting
library on top of Raphael that is a lot less solid, but seems kind of OK.

Overall, I think this selection gives us a lot of flexibility, although we'll
have to pay some costs up front. I'd rather do that then get limited later,
though.

That said, I'm open to other suggestions here if anyone has experience or wants
to take a different stab at researching things.

This is largely for @vii and D1643.

Test Plan: Created a basic, fairly OK chart (see next revision).

Reviewers: btrahan, vii

Reviewed By: btrahan

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1654
2012-02-21 15:10:24 -08:00
epriestley
8b851e4978 Minor, fix simpleoptions parse of {F123} notation. 2012-02-17 16:22:38 -08:00
epriestley
2bcf153e7e Minor, fix chatlog handler comment. 2012-02-17 10:24:55 -08:00
epriestley
7200040479 Add a basic chatlog
Summary:
This is pretty simple and unpolished, but it's getting pretty big and it seems
like a reasonable starting point.

  - Log chat in various "channels".
  - Conduit record and query methods.
  - IRCBot integration for IRC logging

Major TODO:

  - Web UI is really unpolished and has no search, paging, anchor-linking, etc.
Basically all presentation stuff, though.
  - I think the bot should have a map of channels to log with channel aliases?
  - The "channels" should probably be in a separate table.
  - The "authors" should probably be correlated to Phabricator accounts somehow,
where possible.

Test Plan: Used phabotlocal to log #phabricator.

Reviewers: kdeggelman, btrahan, Koolvin

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T837

Differential Revision: https://secure.phabricator.com/D1625
2012-02-17 10:21:38 -08:00
epriestley
fce6a7089c Fix production file links for some alt-domain configurations
Summary:
We sometimes call PhabricatorEnv::getProductionURI($file->getBestURI()) or
similar, but this may currently cause us to construct a URI like this:

  http://domain.com/http://cdn-domain.com/file/data/xxx/yyy/name.jpg

Instead, if the provided URI has a domain already, leave it unmodified.

Test Plan: Attached a file to a task; got an email with a valid URI instead of
an invalid URI.

Reviewers: btrahan

Reviewed By: btrahan

CC: Makinde, aran, epriestley

Differential Revision: https://secure.phabricator.com/D1622
2012-02-15 17:06:36 -08:00
epriestley
35c5852d3f Add a safeguard against multiple patches with the same version
Summary:
I accidentally added two "104" patches. This actually works OK for the most part
but is fundamentally bad and wrong.

Merge the patches (installs applied both as "104", so we can't move one to
"105") and add a safeguard.

Test Plan: Ran upgrade_schema.php with two "104" patches, got error'd. Ran
without, got successs.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1614
2012-02-14 16:24:02 -08:00
epriestley
549146bc7c Move ALL files to serve from the alternate file domain, not just files without
"Content-Disposition: attachment"

Summary:
We currently serve some files off the primary domain (with "Content-Disposition:
attachment" + a CSRF check) and some files off the alternate domain (without
either).

This is not sufficient, because some UAs (like the iPad) ignore
"Content-Disposition: attachment". So there's an attack that goes like this:

	- Alice uploads xss.html
	- Alice says to Bob "hey download this file on your iPad"
        - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd.

NOTE: This removes the CSRF check for downloading files. The check is nice to
have but only raises the barrier to entry slightly. Between iPad / sniffing /
flash bytecode attacks, single-domain installs are simply insecure. We could
restore the check at some point in conjunction with a derived authentication
cookie (i.e., a mini-session-token which is only useful for downloading files),
but that's a lot of complexity to drop all at once.

(Because files are now authenticated only by knowing the PHID and secret key,
this also fixes the "no profile pictures in public feed while logged out"
issue.)

Test Plan: Viewed, info'd, and downloaded files

Reviewers: btrahan, arice, alok

Reviewed By: arice

CC: aran, epriestley

Maniphest Tasks: T843

Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 14:52:27 -08:00
epriestley
c8b4bfdcd1 Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks
Summary:
Some browsers will still sniff content types even with "Content-Type" and
"X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from
sniffing the content as HTML.

See T865.

Also unified some of the code on this pathway.

Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for
the test case in T865. Unit tests pass.

Reviewers: cbg, btrahan

Reviewed By: cbg

CC: aran, epriestley

Maniphest Tasks: T139, T865

Differential Revision: https://secure.phabricator.com/D1606
2012-02-14 14:51:51 -08:00
Korvin Szanto
ad9a2ab00c D1535
IRC bot responds to T1000 as if you were referencing the nanomorph mimetic poly-alloy assassin.
2012-02-10 09:47:57 -08:00
vrana
5e58a016a5 Allow full anchors in remarkup object names
Summary: Remarkup object names require #1 for linking to comments which is not
very intuitive.

Test Plan:
  D1558#4e01328c
  D1558#1
  D1558#comment-1

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1565
2012-02-03 15:50:19 -08:00
vrana
6bd8542abb Avoid sending CSRF token in GET and external forms
Summary:
Sending CSRF token in GET forms is dangerous because if there are external links
on the target page then the token could leak through Referer header.
The token is not required for anything because GET forms are used only to
display data, not to perform operations.
Sending CSRF tokens to external URLs leaks the token immediately.

Please note that <form action> defaults to GET.

PhabricatorUserOAuthSettingsPanelController suffered from this problem for both
reasons.

Test Plan: Save my settings (POST form).

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1558
2012-02-03 10:58:51 -08:00
epriestley
dc36317ea4 Use 'ps <pid>' to test for process existence if posix is not available
Summary: posix may not be loaded on the web/cgi SAPI but we call posix functions
on this pathway, which we hit on /daemon/. Fall back to exec if we don't have
posix.

Test Plan: Added "&& false" and verified the page executed a bunch of "ps"
tests.

Reviewers: Koolvin, btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T821

Differential Revision: https://secure.phabricator.com/D1540
2012-02-02 16:03:36 -08:00