revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-09-20 01:08:50 +02:00
Code Issues Releases Wiki Activity
No description
16560 commits 3 branches 6 tags 152 MiB
PHP 93.5%
JavaScript 4.1%
CSS 2.4%
Find a file
epriestley 45665dd3b4 Hide "notification.servers" configuration and don't follow redirects from Aphlict 
Summary:
See <https://hackerone.com/reports/850114>.

An attacker with administrator privileges can configure "notification.servers" to connect to internal services, either directly or with chosen parameters by selecting an attacker-controlled service and having it issue a "Location" redirect.

Generally, we allow this attack to occur. The same administrator can use an authentication provider or a VCS repository to perform the same attack, and we can't reasonably harden these workflows without breaking things that users expect to be able to do.

There's no reason this particular variation of the attack needs to be allowable, though, and the current behavior isn't consistent with how other similar things work.

  - Hide the "notification.servers" configuration, which also locks it. This is similar to other modern service/server configuration.
  - Don't follow redirects on these requests. Aphlict should never issue a "Location" header, so if we encounter one something is misconfigured. Declining to follow this header likely makes the issue easier to debug.

Test Plan:
  - Viewed configuration in web UI.
  - Configured a server that "Location: ..." redirects, got a followed redirect before and a failure afterward.

{F7365973}

Differential Revision: https://secure.phabricator.com/D21123
2020-04-15 07:00:51 -07:00
bin Remove the "ssh-auth-key" script 2019-10-28 17:52:37 -07:00
conf Remove an old digest in Celerity code and some obsolete configuration options 2019-01-04 13:43:38 -08:00
externals Merge a small amount of remaining "libphutil/" code with Phabricator, break libphutil dependency 2020-02-12 15:17:36 -08:00
resources Extract raw commit messages from Git more faithfully across Git versions 2020-02-24 12:37:45 -08:00
scripts Update a Phabricator -> Arcanist include path for scripts in Phabricator 2020-02-14 08:32:26 -08:00
src Hide "notification.servers" configuration and don't follow redirects from Aphlict 2020-04-15 07:00:51 -07:00
support Reduce the verbosity of the "Aphlict" log 2020-04-14 13:24:44 -07:00
webroot Add more layout constraints to tokenizer CSS to prevent layout issues with Chinese glyphs in Firefox 73 2020-02-24 08:00:44 -08:00
.arcconfig Set "history.immutable" to "false" explicitly in .arcconfig 2016-08-03 08:12:49 -07:00
.arclint Continue moving classes with no callers in libphutil or Arcanist to Phabricator 2020-02-12 13:14:04 -08:00
.arcunit Use the configuration driven unit test engine 2015-08-11 07:57:11 +10:00
.editorconfig
.gitignore Make i18n string extraction faster and more flexible 2016-07-04 10:23:30 -07:00
LICENSE
NOTICE
README.md Remove push to IRC from "readme.md" too 2015-10-24 18:39:16 -07:00

README.md

Phabricator is a collection of web applications which help software companies build better software.

Phabricator includes applications for:

  • reviewing and auditing source code;
  • hosting and browsing repositories;
  • tracking bugs;
  • managing projects;
  • conversing with team members;
  • assembling a party to venture forth;
  • writing stuff down and reading it later;
  • hiding stuff from coworkers; and
  • also some other things.

You can learn more about the project (and find links to documentation and resources) at Phabricator.org

Phabricator is developed and maintained by Phacility.

SUPPORT RESOURCES

For resources on filing bugs, requesting features, reporting security issues, and getting other kinds of support, see Support Resources.

NO PULL REQUESTS!

We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide.

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.