1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-19 13:22:42 +01:00
Commit graph

29 commits

Author SHA1 Message Date
epriestley
39b4d20ce5 Create AphrontWriteGuard, a backup mechanism for CSRF validation
Summary:
Provide a catchall mechanism to find unprotected writes.

  - Depends on D758.
  - Similar to WriteOnHTTPGet stuff from Facebook's stack.
  - Since we have a small number of storage mechanisms and highly structured
read/write pathways, we can explicitly answer the question "is this page
performing a write?".
  - Never allow writes without CSRF checks.
  - This will probably break some things. That's fine: they're CSRF
vulnerabilities or weird edge cases that we can fix. But don't push to Facebook
for a few days unless you're prepared to deal with this.
  - **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF!
<<<**

Test Plan:
  - Ran some scripts that perform writes (scripts/search indexers), no issues.
  - Performed normal CSRF submits.
  - Added writes to an un-CSRF'd page, got an exception.
  - Executed conduit methods.
  - Did login/logout (this works because the logged-out user validates the
logged-out csrf "token").
  - Did OAuth login.
  - Did OAuth registration.

Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran,
codeblock
Commenters: pedram
CC: aran, epriestley, pedram
Differential Revision: 777
2011-08-16 13:29:57 -07:00
epriestley
6f388f97d9 Improve Phabricator behavior for fatal errors
Summary:
  - Exceptions on the rendering pathway currently go uncaught and result in a
blank page. Commonly, this is a bad require_celerity_resource() call. Although
we can't safely render a page if the rendering pathway is broken, we can show a
useful message.
  - When PHP exits because of a fatal error, there is an opportunity to run code
in the shutdown handler. This allows us to show messages at least some of the
time, e.g. "call to unknown function derp() in somefile.php at line 99"
  - flip dem tables

Test Plan: Added fatals ("derp();") and rendering exceptions
("require_celerity_resource('does-not-exist')") to a controller and verified
that the error handling behavior is now more useful.
Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran, epriestley
Differential Revision: 680
2011-07-18 07:23:01 -07:00
epriestley
d28326446d Detect obviously erroneous "memory_limit" configurations
Summary: See comment. ALSO: THIS DIFF IS AMAZING.
Test Plan: Changed my memory limit to something absurd, got yelled at.
Reviewed By: mroch
Reviewers: colmdoyle, jungejason, aran, tuomaspelkonen, codeblock, tomo, mroch,
hsb
CC: aran, mroch, epriestley
Differential Revision: 657
2011-07-12 15:52:32 -07:00
epriestley
7aa3582120 Improve error messages for PHABRICATOR_ENV
Summary:
- Allow user to specify "myconf" (recommended) or "myconf.conf.php" (less
surprising).
  - Make sure syntax errors and other problems are surfaced.
  - If the configuration value isn't valid, give them a list of all valid
values.

Test Plan:
- Added a syntax error, got a useful error.
  - Set PHABRICATOR_ENV to a silly value, got a list of valid values.
  - Set PHABRICATOR_ENV to have .conf.php suffix, site still worked.

Reviewed By: kevinwallace
Reviewers: kevinwallace, codeblock, aran, jungejason, tuomaspelkonen
CC: aran, epriestley, kevinwallace
Differential Revision: 381
2011-05-31 19:18:36 -07:00
epriestley
d202e71ef1 Use parallel syntax highlighting API in differential
Summary:
Use the new API from D322 to highlight text in parallel in Differential.

Test Plan:
Verified that pygemntize calls started within 20ms of one another in DarkConsole
(also: added a feature to let me do this) instead of running serially.

Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran
Differential Revision: 323
2011-05-22 07:21:10 -07:00
epriestley
c6beb7a4fb Move to explicit initialization of PhutilErrorHandler. 2011-05-11 07:20:04 -07:00
epriestley
f7e2b03077 Add a "setup" mode which guides new users through application configuration
Summary:
Alters the installation instructions to guide installers into a "setup" mode
which does config file sanity checking.

Test Plan:
Put myself in setup mode, simulated all the failures it detects, took myself out
of setup mode, Phabricator works OK.

Reviewed By: tuomaspelkonen
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran, tuomaspelkonen, epriestley
Differential Revision: 230
2011-05-10 15:12:30 -07:00
epriestley
5da364f8f9 Detect and fatal on magic_quotes_gpc
Summary:
This is evil, don't run with it enabled. Somehow got enabled on my
laptop?

Test Plan:
Loaded phabricator with magic_quotes_gpc enabled, was rebuffed.

Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran
Differential Revision: 184
2011-04-29 20:26:05 -07:00
epriestley
aa0ff43999 xhpastview 2011-04-06 22:43:56 -07:00
tuomaspelkonen
d5ee8c792c Modified DarkConsole Error Log to show more detailed information.
Summary:
When function phlog() is called, stacktrace and detailed log information
is shown in DarkConsole.

Test Plan:
Called 'phlog' function from various places in Phabricator and checked that
the debug information was available in DarkConsole.

Reviewed By: epriestley
Reviewers: epriestley
CC: jungejason, epriestley
Differential Revision: 101
2011-04-06 14:30:54 -07:00
epriestley
c72d9980d5 Slightly improve error message when the user specifies a bogus
config file.
2011-04-05 10:48:36 -07:00
epriestley
cc66c4890d Commit + Herald integration. 2011-04-04 14:13:14 -07:00
epriestley
3af9919e1c Add 'phabricator.timezone' config for HPHP installs. 2011-04-02 17:21:16 -07:00
epriestley
e6cf7a9cb0 More Diffusion junk. 2011-03-30 22:08:41 -07:00
epriestley
a100d97ed5 Preserve "next" URI by using OAuth 'state' parameter
Summary:
When a user clicks a link like /T32 and has to login, redirect them
to the resource once they've authenticated if possible. OAuth has a param
specifically for this, called 'state', so use it if possible. Facebook
supports it but Github does not.

Test Plan:
logged in with facebook after viewing /D20

Reviewed By: aran
Reviewers: aran
CC: aran, epriestley
Differential Revision: 61
2011-03-07 22:00:57 -08:00
epriestley
6439cd9856 Revert HipHop volatile symbol workaround. 2011-03-02 17:21:23 -08:00
epriestley
eccc76dae6 Fix some issues caught by HipHop, and work around some issues
caused by HipHop.
2011-02-26 21:01:42 -08:00
epriestley
d4bd2b0edd Add support for a PHUTIL_LIBRARY_ROOT variable in $_SERVER to make
it easeir to build Phabricator for hphp.
2011-02-25 18:58:37 -08:00
epriestley
0114a29681 Improve some of the top-level application hooks and setup messages.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-24 14:52:57 -08:00
epriestley
a4852d4a64 Dedupe conf loading function.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-11 13:17:06 -08:00
epriestley
7c3cd26510 Do an explicit check for MySQL install status.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-07 20:55:33 -08:00
epriestley
c93dd9c090 Flesh out some DarkConsole stuff. 2011-02-02 22:38:42 -08:00
epriestley
a5c0c277ca Very slightly less terrible XHProf implementation. 2011-02-02 16:14:23 -08:00
epriestley
759eec3a77 Very rough cut of DarkConsole + XHProf 2011-02-02 13:48:52 -08:00
epriestley
03fec6e911 PhabricatorEnv
'infratructure' -> 'infrastructure' (rofl)
Recaptcha
Email Login / Forgot Password
Password Reset
2011-01-31 11:55:26 -08:00
epriestley
6c37f918b1 Somewhat proper 404 page, plus HTTP response code. 2011-01-30 08:44:28 -08:00
epriestley
ccf7df6093 Authentication 2011-01-26 15:34:20 -08:00
epriestley
dec8bac3a3 Conduit: differential.creatediff 2011-01-24 11:28:12 -08:00
epriestley
76258ce0e1 Import some code, some of which may be relevant to the project. 2011-01-17 19:31:39 -08:00