revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-02-07 04:18:31 +01:00
Code Issues Releases Wiki Activity
No description
3332 commits 3 branches 7 tags 153 MiB
PHP 93.5%
JavaScript 4.1%
CSS 2.4%
Find a file
epriestley 0b9c54a6bb Detect missing 'params' in Conduit calls 
Summary:
Suhosin has about 50 options for filtering input variables, doucmented here:

http://www.hardened-php.net/suhosin/configuration.html

The default behavior of Suhosin is to drop the variable entirely if it violates any of the rules, then continue with the request. It doesn't affect 'php://input' and doesn't drop other variables, so it evades existing detection, and we can't figure out that it's happened at runtime. We could add blanket checks (Suhosin enabled + suhosin.filter.action set to nothing means this may happen, and will be undetectable if it does happen) but can't tailor a check or recovery to this specific problem.

Instead, raise a better error in the specific case where we encounter this, which is Conduit calls of "arc diff" of files over 1MB (the default POST limit). In these cases, Suhosin drops the variable entirely. If there is no 'params', scream. We never encounter this case normall (`arc`, including `arc call-conduit`, always sends this parameter) although other clients might omit it. The only exception is the web console with `conduit.ping`, which submits nothing; make it submit something so it keeps working.

See also https://github.com/facebook/phabricator/issues/233#issuecomment-11186074

Test Plan: Brought up a Debian + Suhosin box, verified the behavior of Suhosin, made requests with and without 'params'.

Reviewers: btrahan, vrana

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D4144
2012-12-11 14:01:18 -08:00
bin Modernize the drydock script 2012-11-01 15:30:14 -07:00
conf Modernize Macro application 2012-12-11 14:01:03 -08:00
externals Support SMTP as the mailer. 2012-12-09 02:37:02 -08:00
resources Modernize Macro application 2012-12-11 14:01:03 -08:00
scripts Minor, update package definitions to include all the new sprite CSS. 2012-12-07 13:54:12 -08:00
src Detect missing 'params' in Conduit calls 2012-12-11 14:01:18 -08:00
support Delete license headers from files 2012-11-05 11:16:51 -08:00
webroot Modernize Macro application 2012-12-11 14:01:03 -08:00
.arcconfig Delete license headers from files 2012-11-05 11:16:51 -08:00
.divinerconfig Centralize rendering of application mail bodies 2012-07-16 19:01:43 -07:00
.editorconfig Specify config for text editors 2012-11-03 22:34:44 -07:00
.gitignore Remove support for custom logos 2012-07-30 11:09:28 -07:00
.gitmodules Just change the location. 2011-05-28 15:14:54 -07:00
LICENSE Delete license headers from files 2012-11-05 11:16:51 -08:00
NOTICE Delete license headers from files 2012-11-05 11:16:51 -08:00
README Delete license headers from files 2012-11-05 11:16:51 -08:00

README 

Phabricator is a open source collection of web applications which make it easier
to write, review, and share source code. Phabricator was developed at Facebook.

This is an early release. It's pretty high-quality and usable, but under
active development so things may change quickly.

You can learn more about the project and find links to documentation and
resources at: http://phabricator.org/

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.