Summary:
Ref T3684. The URI itself is reflected in a few places. It is generally not dangerous because we only let you add random stuff to the end of it for one or two controllers (e.g., the file download controller lets you add "/whatever.jpg"), but:
- Remove it entirely in the main request, since it serves no purpose.
- Remove query parameters in Ajax requests. These are available in DarkConsole proper.
Also mask a few things in the "Request" tab; I've never used these fields when debugging or during support, and they leak quasi-sensitive information that could get screenshotted or over-the-shoulder'd.
I didn't mitgate `__metablock__` because I think the threat is so close to 0 that it's not worthwhile.
Test Plan: Used Darkconsole, examined Requests tab.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3684
Differential Revision: https://secure.phabricator.com/D6699
Summary: Ref T3684 for discussion. This could be cleaned up a bit (it would be nice to draw entropy once per request, for instance, and maybe respect CSRF_TOKEN_LENGTH more closely) but should effectively mitigate BREACH.
Test Plan: Submitted forms; submitted forms after mucking with CSRF and observed CSRF error. Verified that source now has "B@..." tokens.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3684
Differential Revision: https://secure.phabricator.com/D6686
Summary:
Ref T2852. Two issues:
- Embeds (`T12`, `{T12}`) have some handle issues because handles run afoul of visibility checks under some configs. Make handles unconditionally visible.
- Asana links don't render correctly into text mode. Give them a valid text mode rendering so they don't flip out.
Test Plan: Made comments with `T12` and `http://app.asana.com/...` and published them to Asana.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T2852
Differential Revision: https://secure.phabricator.com/D6696
Summary: Ref T2852. After some discussion, Asana doesn't want "close" stories either.
Test Plan: Used `bin/feed republish` to publish close and non-close stories from Differential and Diffusion. Verified comments were synchronized in the expected cases.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T2852
Differential Revision: https://secure.phabricator.com/D6697
Summary: Tightens up the CSS to display more items (4 wide on 15") and fixes some mobile CSS issues with appseach. Fixes T3614
Test Plan: Tested Pholio, Macros, mobile layouts
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T3614
Differential Revision: https://secure.phabricator.com/D6694
Summary: We already show transaction and maniphest comments.
Test Plan: Review my feed, see diff comment.
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6687
Summary: This adds hovercards to most stories and removes the profile photo from one line stories. I don't know about my implementation, which has difficulties with application transactions (because it shows status). Which leads me to a bigger question, which is can we render all people through a common function like AphrontTagView so we can easily class and/or hovercard it anywhere.
Test Plan: Reviewed my feed, various stories.
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6684
Summary: Fixes T3680. One description was wrong, and clean up some of the other stuff.
Test Plan: Ran `phd`.
Reviewers: btrahan, Korvin
Reviewed By: Korvin
CC: aran, jifriedman, Korvin
Maniphest Tasks: T3680
Differential Revision: https://secure.phabricator.com/D6683
Summary: Email replies and subscribers seem to go hand in hand so deploy both at once.
Test Plan: played around with bin/mail. Verified replies posted comments on the paste.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T3650
Differential Revision: https://secure.phabricator.com/D6682
Summary: Ref T2625. This doesn't do anything fancy, but gives feed a little more flexibility.
Test Plan: Viewed `/feed/`.
Reviewers: btrahan, chad
Reviewed By: chad
CC: aran
Maniphest Tasks: T2625
Differential Revision: https://secure.phabricator.com/D6681
Summary: Ensures that weird behavior from filter_input_array does not remove keys from superglobals. Should fix T3677.
Test Plan:
Checked that $_SERVER contained same number of keys before and after
filtering, and that those affected by the original bug continue to be filtered
correctly.
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: zorfling, aran, Korvin, wez
Maniphest Tasks: T3677
Differential Revision: https://secure.phabricator.com/D6680
Summary: Ref T3671. Depends on D6674. Continues work in D6673, D6674 and extends it into Legalpad and Phriction. Then deletes a bunch of dead code.
Test Plan: Edited documents in Legalpad and Phriction, verified I got reasonable looking previews.
Reviewers: btrahan, Firehed
Reviewed By: btrahan
CC: aran, chad
Maniphest Tasks: T3671
Differential Revision: https://secure.phabricator.com/D6675
Summary:
Ref T3578. Ref T3671. Depends on D6673. Use `PHUIRemarkupPreviewPanel` (introduced in D6673) to provide question create/edit and answer edit previews in Ponder.
Then delete a million lines of duplicate code.
Test Plan: Edited a question; edited an answer. Saw live previews.
Reviewers: btrahan, Firehed
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3578, T3671
Differential Revision: https://secure.phabricator.com/D6674
Summary:
Ref T3671. A lot of applications have pretty ad-hoc preview code. Clean it up a bit and add Summary preview to Differential.
After ApplicationTransactions we might want to try to serialize the whole form and show a preview of all the transactions, but this seems not very useful in most cases (I'd guess that Remarkup previews are 99% of the value) and tricky to get right (e.g., adding images which don't exist yet to Pholio mocks).
I think I can add this in a few other places, too.
Test Plan:
Edited Maniphest Tasks and Differential Revisions, mashed some buttons. Verified previews rendered correctly. Grepped for removed CSS classes (no hits).
{F52907}
Reviewers: btrahan, Firehed
Reviewed By: btrahan
CC: aran, chad
Maniphest Tasks: T3671
Differential Revision: https://secure.phabricator.com/D6673
Summary: Fixes T3679. This comes up every so often and the old script is extremely broad (nuke everything in a repository). Provide a more surgical tool.
Test Plan: Ran a bunch of variations of the script and they all seemed to work OK.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, staticshock
Maniphest Tasks: T3679
Differential Revision: https://secure.phabricator.com/D6678
Summary: Fixes T3678. I think some very old rows may have a junk value here. This will be obsoleted by ApplicationTransactions and other modernization, most likely, so just fix it locally.
Test Plan: looked at a task
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3678
Differential Revision: https://secure.phabricator.com/D6677
Summary: This puts back the 'one line' story we previously had with the updated design.
Test Plan: Review my feed.
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6666
Summary:
Fixes issue where double-encoding of $_SERVER occurs when php.ini forces all input to be sanitized
Ex:
filter.default = full_special_chars
filter.default_flags = 36
Fix line length
Test Plan: Encountered issue on clean install when registring new user (phusr not defined for email verification). php.ini on that server contains above filter settings. nginx/php-fpm with recommended settings for that server block from setup guide.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, epriestley
Differential Revision: https://secure.phabricator.com/D6672
Summary:
Previously, if there were no macros, we would ping conduit for a list of macros until we got something. Now we cache false when there are no results.
T3045
Test Plan: Ensure the init doesn't call the ##macro.query## conduit method more than once during the PhabricatorBot's lifetime.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran
Maniphest Tasks: T3045
Differential Revision: https://secure.phabricator.com/D6671
Summary:
Add the ability to select singular and multiple lines in paste to highlight.
This is related to T3627
Test Plan: Create a paste, select one or more lines.
Reviewers: epriestley, tberman
Reviewed By: epriestley
CC: aran, chad
Maniphest Tasks: T3627
Differential Revision: https://secure.phabricator.com/D6668
Summary: Fixes T3673. Supposedly we won't get any data in this case, but it seems we sometimes do. See discussion in task.
Test Plan: Used `var_dump()`, etc., to verify we short circuit out of "multipart/form-data" posts regardless of the presence of input data.
Reviewers: nmalcolm, btrahan
Reviewed By: nmalcolm
CC: aran
Maniphest Tasks: T3673
Differential Revision: https://secure.phabricator.com/D6670
This column has no default value and throws if you have maximum warnings activated:
EXCEPTION: (AphrontQueryException) #1364: Field 'commentVersion' doesn't have a default value...
Auditors: btrahan
Summary: Ref T3650. This adds a create transaction, transactions for metadata (title, langauge, view policy), and comments. Editor is used on all create /edit paths.
Test Plan: made some pastes via web and email - yay. edited pastes - yay. verified txns showed up on pastes and in feed correctly.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T3516, T3650
Differential Revision: https://secure.phabricator.com/D6645
Summary: easy peasy. noticed it trying to fix an image.
Test Plan: can fix image by phid once more!
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6659
Summary: Ref T3031. While we should probably do more than this, provide a more useful error message so I don't have to make users run `date` and such.
Test Plan:
Added `|| true` and ran `arc list`:
$ arc list --conduit-uri=http://local.aphront.com:8080/
Exception
ERR-INVALID-TOKEN: The request you submitted is signed with a timestamp, but that timestamp is not within 15 m of the current time. The signed timestamp is 1375454102 (Fri, 02 Aug 2013 07:35:02 -0700), and the current server time is 1375454102 (Fri, 02 Aug 2013 07:35:02 -0700). This is a differnce of 0 seconds, but the timestamps must differ from the server time by no more than 900 seconds. Your client or server clock may not be set correctly.
(Run with --trace for a full exception trace.)
Reviewers: btrahan, chad
Reviewed By: chad
CC: aran
Maniphest Tasks: T3031
Differential Revision: https://secure.phabricator.com/D6653
Summary:
The 'filter' works like this: Get all results matching query (all if there's no query), compute facets (if there are any) and then filter out the uninteresting results.
The 'filtered' query applies the filters when searching, not when processing results.
This is obviously not documented anywhere in the great Elasticsearch documentation.
http://stackoverflow.com/questions/14007078/performance-of-elastic-queries
We don't hit this problem very often as we usually use some query.
Test Plan: Searched for open documents using Elasticsearch, verified the sent JSON, verified results.
Reviewers: epriestley, wez
Reviewed By: epriestley
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6643
Summary: It turns out not everything is interesting. This adds a oneline story with less vertical space.
Test Plan: UIExamples
Reviewers: epriestley, btrahan
Reviewed By: epriestley
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6640
Summary:
Fixes T3666. D6585 updated the User handles, but accidentally dropped this unusual property.
We should get rid of this -- it doesn't really make any sense on Handles -- but restore the previous beahvior to fix T3666 until we can nuke it.
Test Plan: Clicked some pages? (Actually testing this properly is a bit of a pain and I am super lazy.)
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3666
Differential Revision: https://secure.phabricator.com/D6644
Summary:
...bsasically add a "view mode" and play with that throughout the stack. Differences are...
- normal mode has comments; history mode does not
- normal mode has inline comments; history mode does not
- page uris are correct with respect to either mode
...and that's about it. I played around (wasted too much time) trying to make this cuter. I think just jamming this mode in here is the easiest / cleanest thing at the end. Feel free to tell me otherwise!
This largely gets even better via T3612. However, this fixes T3572.
Test Plan: played around with a mock with some history. noted correct uris on images. noted no errors in js console.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T3572
Differential Revision: https://secure.phabricator.com/D6638
Summary: Ref T2852. Current code works fine, but although we want to drop creation stories, we really only want to drop the story text, not the other effects of the creation story. Also generalize this mechanism so we don't have Asana-specific code in the publishers.
Test Plan: Used `bin/feed republish` to publish creation and non-creation stories. Verified creation story published no text.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T2852
Differential Revision: https://secure.phabricator.com/D6639
Summary: Fixes T3652.
Test Plan: Created a Ponder question with fancy remarkup in the descriptive text.
Reviewers: btrahan, Firehed
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3652
Differential Revision: https://secure.phabricator.com/D6632
Summary: Fixes T1144. Though actually I think T1144 wanted some handy way to email from the command-line / arc, this is cooler. :D
Test Plan: set conf properly and then ./bin/mail receive-test --as btrahan --to pasties@phabricator.dev | README --> it worked...! couldn't test files as easily but verified exception thrown when I tried to test.
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T1144
Differential Revision: https://secure.phabricator.com/D6622
Summary:
Ref T3092.
- Check for a duplicate key error;
- do less single loading and use Query classes;
- use responsive UI elements;
- add crumbs.
Test Plan: Created a new project, and hit error cases.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3092
Differential Revision: https://secure.phabricator.com/D6629
Summary: need to filter images that we can't find mocks for. Fixes T3645. Note I have some other errors in my feed which are really tricky to debug and might be garbage data; I want to see what happens in prod post this push.
Test Plan: set a mock visibility to no one and feed worked
Reviewers: epriestley
Reviewed By: epriestley
CC: aran, Korvin
Maniphest Tasks: T3645
Differential Revision: https://secure.phabricator.com/D6631
Summary: Feed stories have the ability to attach actions, but they were broken
Test Plan: review ui examples
Reviewers: epriestley, btrahan
Reviewed By: btrahan
CC: aran, Korvin
Differential Revision: https://secure.phabricator.com/D6621
Summary: Ref T3578. Get indexing back, and try to simplify it a bit.
Test Plan: Rebuilt QUES and MOCK indexes with `bin/search`. Created question with unique string, verified it appeared as a result. Added an answer with a unique string, got it as a result too.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T3578
Differential Revision: https://secure.phabricator.com/D6619
Summary: Ref T2715. When you type "T12", etc., into the search box, use ApplicationPHIDs to try to find an object name match.
Test Plan: Typed "T12", "rP", "Q11", etc.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T2715
Differential Revision: https://secure.phabricator.com/D6618
Summary: Ref T3578. Restores the voting UI and makes it a little prettier.
Test Plan: {F52089}
Reviewers: btrahan, chad
Reviewed By: chad
CC: aran
Maniphest Tasks: T3578
Differential Revision: https://secure.phabricator.com/D6614