phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2025-01-22 12:41:19 +01:00

No description

Find a file

epriestley 45665dd3b4 Hide "notification.servers" configuration and don't follow redirects from Aphlict Summary: See <https://hackerone.com/reports/850114>. An attacker with administrator privileges can configure "notification.servers" to connect to internal services, either directly or with chosen parameters by selecting an attacker-controlled service and having it issue a "Location" redirect. Generally, we allow this attack to occur. The same administrator can use an authentication provider or a VCS repository to perform the same attack, and we can't reasonably harden these workflows without breaking things that users expect to be able to do. There's no reason this particular variation of the attack needs to be allowable, though, and the current behavior isn't consistent with how other similar things work. - Hide the "notification.servers" configuration, which also locks it. This is similar to other modern service/server configuration. - Don't follow redirects on these requests. Aphlict should never issue a "Location" header, so if we encounter one something is misconfigured. Declining to follow this header likely makes the issue easier to debug. Test Plan: - Viewed configuration in web UI. - Configured a server that "Location: ..." redirects, got a followed redirect before and a failure afterward. {F7365973} Differential Revision: https://secure.phabricator.com/D21123		2020-04-15 07:00:51 -07:00
bin	Remove the "ssh-auth-key" script	2019-10-28 17:52:37 -07:00
conf	Remove an old digest in Celerity code and some obsolete configuration options	2019-01-04 13:43:38 -08:00
externals	Merge a small amount of remaining "libphutil/" code with Phabricator, break libphutil dependency	2020-02-12 15:17:36 -08:00
resources	Extract raw commit messages from Git more faithfully across Git versions	2020-02-24 12:37:45 -08:00
scripts	Update a Phabricator -> Arcanist include path for scripts in Phabricator	2020-02-14 08:32:26 -08:00
src	Hide "notification.servers" configuration and don't follow redirects from Aphlict	2020-04-15 07:00:51 -07:00
support	Reduce the verbosity of the "Aphlict" log	2020-04-14 13:24:44 -07:00
webroot	Add more layout constraints to tokenizer CSS to prevent layout issues with Chinese glyphs in Firefox 73	2020-02-24 08:00:44 -08:00
.arcconfig	Set "history.immutable" to "false" explicitly in .arcconfig	2016-08-03 08:12:49 -07:00
.arclint	Continue moving classes with no callers in libphutil or Arcanist to Phabricator	2020-02-12 13:14:04 -08:00
.arcunit	Use the configuration driven unit test engine	2015-08-11 07:57:11 +10:00
.editorconfig	Fix text lint issues	2015-02-12 07:00:13 +11:00
.gitignore	Make i18n string extraction faster and more flexible	2016-07-04 10:23:30 -07:00
LICENSE	Fix text lint issues	2015-02-12 07:00:13 +11:00
NOTICE	Update Phabricator NOTICE file to reflect modern legal circumstances	2014-06-25 13:42:13 -07:00
README.md	Remove push to IRC from "readme.md" too	2015-10-24 18:39:16 -07:00

README.md

Phabricator is a collection of web applications which help software companies build better software.

Phabricator includes applications for:

reviewing and auditing source code;
hosting and browsing repositories;
tracking bugs;
managing projects;
conversing with team members;
assembling a party to venture forth;
writing stuff down and reading it later;
hiding stuff from coworkers; and
also some other things.

You can learn more about the project (and find links to documentation and resources) at Phabricator.org

Phabricator is developed and maintained by Phacility.

SUPPORT RESOURCES

For resources on filing bugs, requesting features, reporting security issues, and getting other kinds of support, see Support Resources.

NO PULL REQUESTS!

We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide.

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.