1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 23:32:40 +01:00
Commit graph

9732 commits

Author SHA1 Message Date
epriestley
69020af0c7 Make column show/hide behaviors a little simpler
Summary: Ref T7062. The previous fix caused an extra, unnecessary thread load on mobile. Make this code a bit simpler and fix the unnecessary load.

Test Plan: No more load on mobile.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7062

Differential Revision: https://secure.phabricator.com/D12196
2015-03-29 07:27:06 -07:00
Chad Little
12b2257371 Grid spacing for full Conpherence thread list
Summary: Moves to 4px grid / alignment.

Test Plan: Tested per photoshop gridlines, spacing measurements.

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12197
2015-03-28 19:28:02 -07:00
epriestley
a48b486344 Fix a race condition with the chat column
Summary:
Ref T7062. When we load a thread, we always show the column, even if it has been closed between the time we sent the request and when we're processing the response.

Normally this isn't a big deal, but it can specifically show up on mobile.

(This load also shouldn't be happening at all, but I'll fix that separately.)

Test Plan: Mobile no longer shows the column after it loads.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7062

Differential Revision: https://secure.phabricator.com/D12195
2015-03-28 15:46:13 -07:00
epriestley
29beb174d3 Don't treat Quicksand requests as isWorkflow() or isAjax()
Summary:
Fixes T7061. Although it's very simple, I think this is a complete fix.

Quicksand technically is Ajax and uses Workflow as a transport mechanism, but the server should always pretend the user clicked a normal link when rendering.

Test Plan: Links that were autoconverting into dialogs (like "Edit Task") or otherwise making the wrong behavioral choices now work as expected.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7061

Differential Revision: https://secure.phabricator.com/D12194
2015-03-28 15:45:52 -07:00
Chad Little
43be66d8b9 Fix 'Not Done' button hover state on inline comments
Summary: This rule was missing.

Test Plan: Test a comment where "Not Done" was present. Hover over button, it doesn't change.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12193
2015-03-28 10:50:42 -07:00
Chad Little
a909b48d15 Add padding to last conpherenced-edited
Summary: In cases where conpherence-edited is the last item in the pane, we should add padding.

Test Plan: Enter a Room, edit the title, see extra padding. Submit a new comment, padding returns to default.

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12192
2015-03-28 10:41:15 -07:00
epriestley
d9d0daecd7 Scroll the chat column to the bottom when images load
Summary:
Fixes T7558. This might not be 100% perfect but should solve most of the issue.

I briefly looked at things like `MutationObserver` (some fancy next-gen browser junk) but couldn't immediately get it working.

Other methods for handling this kind of thing involve polling, complicated polyfills, etc. We could give `MutationObserver` a more serious effort if this is too leaky.

Test Plan:
  - In a thread with some images, reloaded the page and saw the scrollbar stay at the bottom.
  - Tested with and without USB devices attached.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7558

Differential Revision: https://secure.phabricator.com/D12191
2015-03-28 08:35:12 -07:00
epriestley
ad1bed136c Fix an issue with returning to a the initial page in Quicksand
Summary: Fixes T7058. We weren't propagating `state` properly so some other code ended up doing the wrong thing.

Test Plan:
  - Clicked from Home -> Anything -> Home under Quicksand, saw reloads with no double requests.
  - Used "back", saw back button work properly.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7058

Differential Revision: https://secure.phabricator.com/D12190
2015-03-28 07:38:14 -07:00
epriestley
95efd50470 Remove stray debugging code
Auditors: chad
2015-03-28 07:14:14 -07:00
epriestley
8c1a1312e8 Improve column device behaviors
Summary:
Fixes T7062. When the column is open, we only want to consider the screen width which is avilable for content when computing responsive breakpoints.

Specificially, if you have a 1000px wide browser window (normally "desktop") but the column is open (300px) so you only have 700px free for content (normally "tablet"), we should drop to the tablet breakpoint. This lets you have a narrow column of "tablet" content next to the chat column, instead of a really squished column of "desktop" contnet.

This also means the chat column can't directly use JX.Device to hide itself.

Test Plan: Resized screen with column open, saw content go from Desktop + Column -> Tablet + Column -> Tablet -> Mobile.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7062

Differential Revision: https://secure.phabricator.com/D12189
2015-03-28 06:54:23 -07:00
epriestley
21454842bf Fix comment previews in Quicksand
Summary:
Fixes T7063. Fixes T7059. We were running some extra unnecessary behaviors. In particular, we would render the menu but not actually send it over the wire, so some behaviors would execute, fail to find the nodes they expected, and throw. This cascaded into some other failures.

Do less work and don't activate behaviors which won't be able to run.

Test Plan: Clicked around, no more errors on page transition. Comment previews work.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7059, T7063

Differential Revision: https://secure.phabricator.com/D12188
2015-03-28 06:54:04 -07:00
Chad Little
637974a190 Polish up Done Button UI States
Summary:
Improves the UI quite a bit.

 - `dashed` borders //everywhere// to denote **Unsubmitted**
 - `$sky` sprinkled everywhere to denote **Done**
 - Consilidate `inline-state-is-draft` to simply styles.

Test Plan:
Sent myself test comments, logged out, read comments on new account. Marked as done, submitted.

{F352240}

{F352242}

{F352245}

{F352246}

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12187
2015-03-27 18:30:09 -07:00
epriestley
a17542ab28 Touch up PHP/JS interactions for inline comments
Summary:
Ref T1460. Overall:

  - Pass `objectOwnerPHID` consistently.
  - Pass viewer consistently.
  - Set the correct draft state for checkboxes on the client.

Test Plan:
  - Made inline comments in Differential.
  - Made inline comments in Diffusion.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T1460

Differential Revision: https://secure.phabricator.com/D12186
2015-03-27 17:08:31 -07:00
Chad Little
b560014577 Revamp inline commenting UI
Summary:
Rebuilds the UI in Differential commenting. Specifically we look at the following design patterns:

**To the author:**
 - The author of the diff should be able to easily identify what comments are done and not done.
 - We keep undone comments yellow
 - Clicking done turns comment block into 'unsubmitted state'

**To the reviewer:**
 - Easier understanding of unsubmitted states
 - All conversations to be yellow/important

**Todo**
 - Not all color CSS states correct
 - Unpulished checkbox support

Test Plan:
Test leaving comments, published and unpublished. Checking Done, unpublished and published. Check delete states.

From the Diff Author's perspective:
{F352094}

For a Diff commenter's perspective:
{F352095}

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T1460, T7660, T7503

Differential Revision: https://secure.phabricator.com/D12171
2015-03-27 16:00:09 -07:00
epriestley
174cf82398 Provide getObjectOwnerPHID() on inline comment views
Summary:
This returns the PHID of the current revision owner, or the commit author, if one exists.

NOTE: For drafts, we currently return `null`; I'll fix that in a future change. Should be correct for submitted comments.

Test Plan: Added an inline, nothing seemed broken.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12185
2015-03-27 11:23:10 -07:00
Chad Little
90ccd37a8c Add some spacing around jx-tooltips
Summary: Using tooltips with icons is problematic because we currently draw the arrow after the tooltip location, meaning it goes 5px into the container. This gives a 5px padding around the outer container to better account for this.

Test Plan: tested tooltips in remarkup bar, project icon nav, and in durable column.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12184
2015-03-27 10:38:28 -07:00
epriestley
52a4c821f5 Specifically describe "local.json" in backup/migration config documentation
Summary: Fixes T7648. The existence of this file is not necessarily obvious and is important to backup, transfer, and restore.

Test Plan: Read documentation.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7648

Differential Revision: https://secure.phabricator.com/D12183
2015-03-27 09:20:51 -07:00
Bob Trahan
a428bb8ad4 Conpherence - fix bug with possible null value
Summary: Fixes T7675. epriestley caught this in code review and I didn't implement it all the way

Test Plan: logicypoo

Reviewers: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7675

Differential Revision: https://secure.phabricator.com/D12181
2015-03-27 06:32:23 -07:00
epriestley
0dda809da6 Fix a translation string
Summary: Fixes T7672. This had two `%d` conversions but only one parameter.

Test Plan: Adjusted limit to 0, viewed a merge, saw proper message.

Reviewers: chad, btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7672

Differential Revision: https://secure.phabricator.com/D12180
2015-03-26 17:12:00 -07:00
Bob Trahan
22501ab31e Conpherence - unit tests for T7670
Summary: Ref T7670. Add a few unit tests to make sure deleting everyone works. Also change remaining processRequest to handleRequest while in there.

Test Plan: `arc unit` passed

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7670

Differential Revision: https://secure.phabricator.com/D12179
2015-03-26 16:46:47 -07:00
Bob Trahan
39fa190c15 Conpherence - get lots of rooms stuff hooked up nicely
Summary:
Ref T7566. This does a big chunk of what's left

 - Main view
  - "Rooms" sub header
    - 5 Rooms shown at a time, with room you're looking at in the top on page load
      - e.g. viewing /conpherence/x/ the room x is at top always
      - solves corner case of when you have yet to "join" the room
    - "See More" link takes you to application search for rooms you have participated in
    - if no rooms, there is a "Create Room" and "Find Rooms" links.
  - "Messages" sub header
    - same as before
  - policy icons showing up in the menu
 - Durable column view - still just the latest N, no changes really there
 - Transactions - special cased rendering to try to say room vs thread as appropos
 - Bug fix - we weren't recording the initial participants transaction post D12177 / D12163. This fixes that.

Should probably test pagination, and if you want to show more than 5 rooms of have it behave more like messages (where you can wind up in the middle of a paginated list) that will be more work. Also, if lots of messages / rooms (100 is the limit) we might not display rooms if we're supposed to. Yay whale usage! :D

Test Plan: made a new room - success. made a new message - success.  viewed a room from /conpherenece/room/ i wasn't a participant in and noted it showed up at the top of the five rooms. clicked around rooms and stuff loaded nicely.

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7566

Differential Revision: https://secure.phabricator.com/D12178
2015-03-26 16:37:32 -07:00
Chad Little
9005ce4e9f Fix first new edited message in full Conpherence spacing
Summary: In new Conpherences, add some padding to the conpherence-edited rule if it's the first child of conpherence-messages.

Test Plan: Test a new Conpherence

Reviewers: epriestley, btrahan

Reviewed By: btrahan

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12175
2015-03-26 13:40:42 -07:00
Bob Trahan
d2e59b2289 Conpherence - fix missing method
Summary: Fixes T7669. Broken by D12163 re-factoring and foolihardiness of test coverage. Notably / interestingly, this was broken before D12163 from not implementing policy correctly, so Conpherence has been broken for a bit with few reports.

Test Plan: had user send himself a message

Reviewers: chad, epriestley

Reviewed By: chad, epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7669

Differential Revision: https://secure.phabricator.com/D12177
2015-03-26 13:35:48 -07:00
Chad Little
6b74873358 Update icon color in Durable Column header-text
Summary: Moving to an rgba color here to work better with all the various header colors.

Test Plan: Reload sandbox, see new icon color.

Reviewers: epriestley, btrahan

Reviewed By: btrahan

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12176
2015-03-26 13:34:34 -07:00
Chad Little
c4799b2c45 Basic touchups to Phortune UI
Summary: This is just a quick pass to fix a few bugs and spacing issues, Phortune itself could probably use some more custom UI, but that'll require some thought and abstraction. This also adds a new taller table CSS, which I mayyyy make automatic on tables with few rows, we'll see.

Test Plan: Browsed my Phortune account, tested new spacing on `admin` for 'full effect'

Reviewers: epriestley, btrahan

Reviewed By: btrahan

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12115
2015-03-26 13:16:09 -07:00
Bob Trahan
871c06ab4e Calendar - error better with invalid time values
Summary: Fixes T7665. Unfortunately when the user messes this up its not easy to partially recover so we just reset that time to the default.

Test Plan: set time to "00:00 AM" and got a sensible error.

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7665

Differential Revision: https://secure.phabricator.com/D12174
2015-03-26 13:02:49 -07:00
Chad Little
4ae28837fd Update Conpherence CSS to handle multiple edits better
Summary: Fixes T7655. We'll set tighter spacing around edit clusters. Also darkened up the date marker and remove unused `phabricator-transaction-view` CSS that was still scattered around the site.

Test Plan: Test a full and column multi-edit spam. Visited Ponder and Diffusion, noticed no issues using those apps. Grepped for other users of `phabricator-transaction-view`

Reviewers: epriestley, btrahan

Reviewed By: btrahan

Subscribers: Korvin, epriestley

Maniphest Tasks: T7655

Differential Revision: https://secure.phabricator.com/D12148
2015-03-26 12:56:58 -07:00
Bob Trahan
e4b7263bf8 Conpherence - Differentiate audience of Threads/Rooms with icon
Summary:
Fixes T7629 plus an un filed bug that's breaking creating new threads since we need to add participants EVEN EARLIER than we were doing it now that policy is actually enforced.

Back to the main thrust of this, there is one UI corner case - in the main view if you go from 1:1 to 1:1:1 (i.e. add a 3rd recipient, or Nth in a row) the icon only updates on page reload. I figure this will get sorted out at a later refactor as we make the client better / share more code with durable column.

One other small behavioral oddity is in the main view sometime we start loading with no conpherence. in that case, rather than show some incorrect icon, we show no icon (and "no title") and then things change at load. Seems okay-ish.

Finally, @chad - the CSS is a very work-man-like "use the built in stuff you can specify from PHP" so I'm sure it needs some love.

Test Plan: made all sorts of rooms and threads and liked the icons. noted smooth loading action as i switched around

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: Korvin, chad, epriestley

Maniphest Tasks: T7629

Differential Revision: https://secure.phabricator.com/D12163
2015-03-26 12:24:29 -07:00
epriestley
ffe654e5e3 Fix directory moves and copies in Subversion hosted repositories
Summary: Fixes T6490.

Test Plan:
```
$ svn mv dir/ dir2
A         dir2
D         dir
D         dir/list.txt

$ svn commit -m 'Move dir/ to dir2/'
Deleting       dir
Adding         dir2

Committed revision 3.

$ svn cp dir2/ dir3
A         dir3

$ svn commit -m 'Copy dir2/ to dir3/'
Adding         dir3

Committed revision 4.
```

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6490

Differential Revision: https://secure.phabricator.com/D12173
2015-03-26 11:13:41 -07:00
epriestley
a4bfed8415 Censor response bodies from Mercurial error messages
Summary:
Ref T6755. In Git and Subversion, running `git clone http://google.com/` or `svn checkout http://google.com/` does not echo the response body.

In Mercurial, it does. Censor it from the output of `hg pull` and `hg clone`. This prevents an attacker from:

  - Creating a Mercurial remote repository with URI `http://10.0.0.1/secrets/`; and
  - reading the secrets out of the error message after the clone fails.

Test Plan: Set a Mercurial remote URI to a non-Mercurial repository, ran `repository update`, saw censored error message.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12170
2015-03-26 11:13:17 -07:00
epriestley
40fb0f98df Mostly defuse DNS rebinding attack for outbound requests
Summary: Ref T6755. I'll add some notes there about specifics.

Test Plan:
  - Made connections to HTTP and HTTPS URIs.
  - Added some debugging code to verify that HTTP URIs were pre-resolved.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12169
2015-03-26 11:12:22 -07:00
epriestley
2e72e9ff31 Rate limit outbound requests in Macros
Summary:
Ref T6755. Although we do not return response bodies, it is possible to perform crude portscanning if you can execute a DNS rebinding attack (which, for now, remains theoretical).

Limit users to 60 requests / hour to make it less feasible. This would require ~30 years to portscan all ports on a `/32` netblock.

Users who can guess that services may exist can confirm their existence more quickly than this, but if the attacker already had a very small set of candidate services it seems unlikely that portscanning would be of much use in executing the attack.

This protection should eventually be applied to T4190, too (that task also has other considerations).

Test Plan: Set rate limit very low, hit rate limit.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12168
2015-03-26 11:11:52 -07:00
epriestley
cce6d06fa5 Move abandoned revisions to "needs review" when updated
Summary:
Fixes T7602. This is similar to the existing behavior for "changes planned" and "needs revision" revisions.

Also fix the "Update Diff" workflow so it correctly selects closed revisions as attachable.

Test Plan: Updated an abandoned revision, saw it change to "Needs Review".

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7602

Differential Revision: https://secure.phabricator.com/D12167
2015-03-26 11:11:33 -07:00
epriestley
731404445f Improve task subpriority movement algorithm for homogenous blocks
Summary:
Fixes T7664. When there are a large number of tasks (400+) with the same subpriority (which can happen if the subpriority features are rarely used), it may take more than 30 seconds to rebalance them.

Make the algorithm more aggressive about rebalancing homogenous blocks of tasks.

This may need to get even fancier, but I'd guess it can process blocks 1-2 orders of magnitude larger, which should be ~all installs.

(If someone still hits issues with this, I'll make it fancier.)

Once a block is rebalanced, it doesn't need to be rebalanced again (at least, not as a whole block) so we basically just need to get over the initial hurdle here and then we're good.

In the worst case, we can provide `bin/maniphest rebalance` or similar and do the rebalance step offline.

And, in any case, we have more test coverage here now.

Test Plan:
  - Existing tests.
  - New tests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7664

Differential Revision: https://secure.phabricator.com/D12166
2015-03-26 11:11:23 -07:00
Chad Little
4bdc51237a Add ability to have tooltips on buttons
Summary: Enables a basic tooltip when using icon buttons and a convenience method for setting an icon.

Test Plan: Built a UIExample.

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12172
2015-03-26 11:09:20 -07:00
Elan Kugelmass
fe89d67663 Fixes spelling error in settings log on auth provider pages
Summary: The settings logs on auth provider pages shows "enabled accont linking" instead of "enabled account linking."

Test Plan: Checked the copy on the settings log.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D12164
2015-03-26 03:49:58 -07:00
Chad Little
47114513b0 More SIMPLE button styles for buttons and button bars
Summary: Ref T1460, this adds additional buttons colors and styles for use in inline comments. Will also backport to Calendar and PHUIInfoView

Test Plan:
Review new buttons and hover states in UI Examples.

{F350549}

{F350550}

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T1460

Differential Revision: https://secure.phabricator.com/D12162
2015-03-25 12:51:54 -07:00
Bob Trahan
42a0229a52 Conpherence - Implement edit rules for rooms
Summary: Fixes T7586. If you can't edit a room, the pertinent UI is greyed out. One exception is the title of the room in the full viewer; this crumb is not disabled as it would be hard to read. Otherwise though, everything is disabled nicely.

Test Plan: tried to add participants when I wasn't allowed to and got an error. added participants otherwise okay. tried to edit title when i wasn't allowed and got an error. otherwise okay. left conpherence threads / rooms successfully.

Reviewers: epriestley, chad

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7586

Differential Revision: https://secure.phabricator.com/D12161
2015-03-25 11:48:22 -07:00
epriestley
1fd163d097 Mostly provide CSS for "done" states
Summary: Ref T7660. I'm not toggling "inline-state-is-draft" correctly in JS yet since it's a little tricky (you can reload to see it) but the main state should work.

Test Plan:
  - Clicked "done", saw comment opacity fade with placeholder style.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7660

Differential Revision: https://secure.phabricator.com/D12160
2015-03-25 10:57:08 -07:00
epriestley
e5445de163 Show only recent open revisions affecting the same files
Summary: Fixes T5658. Over a long period of time, some cruft can build up here. Only show revisions which have been updated in the last 30 days.

Test Plan:
  - Viewed panel in Differential and Diffusion.
  - Changed limit from 30 days to 30 seconds and saw no revisions.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5658

Differential Revision: https://secure.phabricator.com/D12158
2015-03-25 10:21:56 -07:00
epriestley
6ce4044bfa Lock MIME type configuration
Summary:
Ref T6755. This mitigates an attack where you:

  - compromise an administrative account;
  - configure "text/plain" as an "image" MIME type; and
  - create a new macro sourced from a sensitive resource which is locally accessible over HTTP GET, using DNS rebinding.

You can then view the content of the resource in Files. By preventing the compromised account from reconfiguring the MIME types, the server will instead destroy the response and prevent the attacker from seeing it.

In general, these options should change very rarely, and they often sit just beyond the edge of security vulnerabilities anyway.

For example, if you ignore the warnings about an alternate file domain and elect to serve content from the primary domain, it's still somewhat difficult for an attacker to exploit the vulnerability. If they can add "text/html" or "image/svg+xml" as image MIME types, it becomes trivial. In this case not having an alternate domain is the main issue, but easy modification of this config increases risk/exposure.

Test Plan: Viewed affected config and saw that it is locked.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12154
2015-03-25 10:16:22 -07:00
epriestley
17e1e7a65a Document the need to purge caches after updating differential.generated-paths
Summary: Fixes T6378.

Test Plan: Set config to `/.*/`, created a new diff, everything was collapsed as generated.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6378

Differential Revision: https://secure.phabricator.com/D12159
2015-03-25 07:29:09 -07:00
epriestley
c03297ab5a Fix interaction between undo and inline comment placement
Summary:
Fixes T7658. Currently, we remove the "undo" before placing the comment, but that causes us to lose track of which row we should be examining.

Instead, place the comment first, then remove the "undo".

Test Plan: This stuff is hard to test comprehensively, but the original report reproduced easily and is now fixed. I wasn't able to break anything by adding/editing/deleting comments.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7658

Differential Revision: https://secure.phabricator.com/D12157
2015-03-25 07:14:12 -07:00
epriestley
4f8147dbb8 Improve protection against SSRF attacks
Summary:
Ref T6755. This improves our resistance to SSRF attacks:

  - Follow redirects manually and verify each component of the redirect chain.
  - Handle authentication provider profile picture fetches more strictly.

Test Plan:
  - Tried to download macros from various URIs which issued redirects, etc.
  - Downloaded an actual macro.
  - Went through external account workflow.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6755

Differential Revision: https://secure.phabricator.com/D12151
2015-03-24 18:49:01 -07:00
epriestley
22b2b8eb89 Fix a bad call in file chunk destruction
Summary: This signature changed at some point after I tested things and I didn't catch it.

Test Plan: Destroyed a chunked large file with `bin/remove`.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12152
2015-03-24 18:48:51 -07:00
Bob Trahan
25767096c9 Conpherence - implement join / view rules for rooms
Summary:
Ref T7585. This implements everything specified, with a few caveats

- since rooms you have yet to join can't be viewed in the column yet, the column view has some bugs and isn't expected to work.
- the room you're looking at is just pre-pending to the top of the "recent" list

Test Plan: made a room that no one could join. verified when viewing that there was no comment ui. made a room that others could join. verified folks who had yet to join had a "join" button with an area for text. tried joining with / without message text and it worked in both cases

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7585

Differential Revision: https://secure.phabricator.com/D12149
2015-03-24 18:38:16 -07:00
epriestley
aa310230b6 Detect moves and copies with some unchanged lines as moves or copies
Summary:
Ref T1266. We won't detect a move/copy if fewer than 3 lines are changed.

However, you may move a block like:

  Complicated Line A
  Trivial Line B
  Complicated Line C

...where "Trivial Line B" is something like a curly brace. If you move this block somewhere that happened to previously have a similar trivial curly brace line, we won't be able to find 3 contiguous added lines in order to detect the copy/move.

Instead, consider both changed and unchanged lines when trying to find contiguous blocks. This allows us to detect across gaps where lines were not actually changed.

This new algorithm may be too liberal (for example, we may end up incorrectly identifying moved/copied code before or after changed lines, not just between changed lines), but we can keep an eye on it and tweak it. The algorithm is better factored and better covered, now.

Test Plan:
  - Added a unit test for this case.
  - Spot-checked a handful of diffs and generally saw behavior that made sense and looked better than before.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T1266

Differential Revision: https://secure.phabricator.com/D12146
2015-03-24 13:12:24 -07:00
epriestley
373aaa643a Clean up copy detection code a bit
Summary:
Ref T1266. This doesn't change any behaviors, but some of this code has a lot of really complicated conditionals and I tried to break that up a bit.

Also, reexpress this stuff in terms of the "structured" parser in D12144.

Test Plan: Unit tests still pass. They aren't hugely comprehensive but did reliably fail when I screwed stuff up.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T1266

Differential Revision: https://secure.phabricator.com/D12145
2015-03-24 13:12:09 -07:00
epriestley
74a4c2cf0b Provide better parsing primitives for hunks
Summary:
Ref T1266. This prepares to fix case (2) on T1266 by improving the robustness of hunk parsing.

In particular, the copy detection code abuses this API because it isn't currently expressive or flexible enough.

Make it more flexible and cover it exhaustively.

I'll move callsites to the new stuff in upcoming revisions.

Test Plan: Unit tests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T1266

Differential Revision: https://secure.phabricator.com/D12144
2015-03-24 13:11:37 -07:00
Bob Trahan
dcaafd6159 Conpherence - grey out username mentions if they aren't in the conpherence
Summary: Fixes T7578. This was pretty easy because conpherence funnels all transacton stuff through this spot

Test Plan: made a new room so only my user was a participant. wrote "@myself will work and @anotherguy will be greyed out" and so it was as expected

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7578

Differential Revision: https://secure.phabricator.com/D12114
2015-03-24 13:08:53 -07:00