1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-28 09:42:41 +01:00
phorge-phorge/src/applications
epriestley 2037979142 Prevent Phame blogs from using invalid skins
Summary: Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan: Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10992
2014-12-15 10:41:49 -08:00
..
almanac Allow repositories to be bound to an AlmanacService 2014-12-12 12:07:11 -08:00
aphlict/management Try nodejs before node when starting notification server 2014-06-07 13:56:23 -07:00
arcanist/conduit Rename Conduit classes 2014-07-25 10:54:15 +10:00
audit Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
auth Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
base Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
cache Automatically build all Lisk schemata 2014-10-02 09:51:20 -07:00
calendar Decouple some aspects of request routing and construction 2014-10-17 05:01:40 -07:00
celerity Update message and notification icons to use fonts 2014-12-08 13:53:29 -08:00
chatlog Minor formatting changes 2014-10-08 08:39:49 +11:00
conduit Make ConduitCall always local/in-process 2014-12-10 15:27:07 -08:00
config Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
conpherence Conpherence - fix add participant / remove participant form 2014-12-09 11:29:21 -08:00
console Move DarkConsole to an application 2014-10-13 11:17:09 -07:00
countdown Decouple some aspects of request routing and construction 2014-10-17 05:01:40 -07:00
daemon Move cancel/retry/free task queue actions to bin/worker 2014-12-06 09:14:16 -08:00
dashboard Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
differential Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
diffusion Allow repositories to be bound to an AlmanacService 2014-12-12 12:07:11 -08:00
diviner Process Remarkup in text and HTML email bodies appropriately 2014-11-17 18:27:21 -08:00
doorkeeper Minor formatting changes 2014-10-08 08:39:49 +11:00
draft/storage Automatically build all Lisk schemata 2014-10-02 09:51:20 -07:00
drydock Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
fact Minor formatting changes 2014-10-08 08:39:49 +11:00
feed Audit - another partial fix to commit re-parsing bug 2014-10-20 17:39:19 -07:00
files Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
flag Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
fund Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
harbormaster Fix an undefined variable 2014-12-08 04:11:12 -08:00
help Update Phabricator header to use FontAwesome 2014-12-04 13:01:23 -08:00
herald Maniphest - load subscribers in getApplicationTransactionsObject 2014-12-11 11:30:33 -08:00
home Update Phabricator header to use FontAwesome 2014-12-04 13:01:23 -08:00
legalpad Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
lipsum Apply some autofix linter rules 2014-09-10 06:55:05 +10:00
macro Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
mailinglists Decouple some aspects of request routing and construction 2014-10-17 05:01:40 -07:00
maniphest Restore Maniphest subscriber transaction mail tag 2014-12-14 07:49:30 -08:00
meta Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
metamta Add email preference links to email footers 2014-11-19 17:06:33 -08:00
notification Decouple some aspects of request routing and construction 2014-10-17 05:01:40 -07:00
nuance Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
oauthserver Decouple some aspects of request routing and construction 2014-10-17 05:01:40 -07:00
owners Owners / Audit - restore link to view audits related to an owners package. 2014-11-07 16:45:59 -08:00
passphrase Title/Description quering for Passphrase credential 2014-12-09 16:23:09 -08:00
paste Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
people Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
phame Prevent Phame blogs from using invalid skins 2014-12-15 10:41:49 -08:00
phid Transactions - deploy buildTransactionTimeline against a few more applications 2014-12-02 14:33:59 -08:00
phlux Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
pholio Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
phortune Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
phpast Minor formatting changes 2014-10-08 08:39:49 +11:00
phragment Minor formatting changes 2014-10-08 08:39:49 +11:00
phrequent Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
phriction Phriction - validateTransactions that need parent ancestry to complete successfully 2014-12-12 11:35:43 -08:00
policy Linkify Registration Email 2014-11-07 14:16:30 -08:00
ponder Home - limit "status" queries to 100 and show 99+ if we hit that 2014-12-12 12:02:25 -08:00
project Don't show "Primary Hashtag" when creating a project 2014-12-10 15:33:13 -08:00
releeph Minor linter fixes 2014-12-09 18:37:32 +11:00
remarkup/conduit Rename Conduit classes 2014-07-25 10:54:15 +10:00
repository Allow repositories to be bound to an AlmanacService 2014-12-12 12:07:11 -08:00
search Maniphest - use subscribers framework properly 2014-12-10 16:27:30 -08:00
settings Make settings a wrench, not a cog 2014-12-04 17:36:15 -08:00
slowvote Transactions - adding willRenderTimeline to handle tricky cases 2014-12-04 13:58:52 -08:00
subscriptions Maniphest - use subscribers framework properly 2014-12-10 16:27:30 -08:00
support/application Implement the getName method in PhabricatorApplication subclasses 2014-07-23 23:52:50 +10:00
system Automatically build all Lisk schemata 2014-10-02 09:51:20 -07:00
tokens Minor formatting changes 2014-10-08 08:39:49 +11:00
transactions Fix a stray comma on File previews 2014-12-11 11:10:52 -08:00
typeahead Projects - tokenize projects more aggressively with respect to '-' 2014-08-14 12:28:11 -07:00
uiexample Clean up UITooltips 2014-11-24 11:57:29 -08:00
xhprof Automatically build all Lisk schemata 2014-10-02 09:51:20 -07:00