phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-10 00:42:41 +01:00

No description

Find a file

epriestley ab579f2511 Never generate file download forms which point to the CDN domain, tighten "form-action" CSP Summary: Depends on D19155. Ref T13094. Ref T4340. We can't currently implement a strict `form-action 'self'` content security policy because some file downloads rely on a `<form />` which sometimes POSTs to the CDN domain. Broadly, stop generating these forms. We just redirect instead, and show an interstitial confirm dialog if no CDN domain is configured. This makes the UX for installs with no CDN domain a little worse and the UX for everyone else better. Then, implement the stricter Content-Security-Policy. This also removes extra confirm dialogs for downloading Harbormaster build logs and data exports. Test Plan: - Went through the plain data export, data export with bulk jobs, ssh key generation, calendar ICS download, Diffusion data, Paste data, Harbormaster log data, and normal file data download workflows with a CDN domain. - Went through all those workflows again without a CDN domain. - Grepped for affected symbols (`getCDNURI()`, `getDownloadURI()`). - Added an evil form to a page, tried to submit it, was rejected. - Went through the ReCaptcha and Stripe flows again to see if they're submitting any forms. Subscribers: PHID-OPKG-gm6ozazyms6q6i22gyam Maniphest Tasks: T13094, T4340 Differential Revision: https://secure.phabricator.com/D19156		2018-02-28 17:20:12 -08:00
bin	Add skeleton code for webhooks	2018-02-09 13:55:04 -08:00
conf	Support "ssl.chain" in Aphlict configuration	2016-04-14 10:41:21 -07:00
externals	Add profile images to Repositories	2017-06-12 07:51:39 -07:00
resources	Never generate file download forms which point to the CDN domain, tighten "form-action" CSP	2018-02-28 17:20:12 -08:00
scripts	When `bin/drydock lease` is interrupted, release leases	2018-02-13 13:14:21 -08:00
src	Never generate file download forms which point to the CDN domain, tighten "form-action" CSP	2018-02-28 17:20:12 -08:00
support	Always setlocale() to en_US.UTF-8 for the main process	2018-02-05 12:23:06 -08:00
webroot	Never generate file download forms which point to the CDN domain, tighten "form-action" CSP	2018-02-28 17:20:12 -08:00
.arcconfig	Set "history.immutable" to "false" explicitly in .arcconfig	2016-08-03 08:12:49 -07:00
.arclint	Begin adding test coverage to GitHub Events API parsers	2016-03-09 09:30:07 -08:00
.arcunit	Use the configuration driven unit test engine	2015-08-11 07:57:11 +10:00
.editorconfig	Fix text lint issues	2015-02-12 07:00:13 +11:00
.gitignore	Make i18n string extraction faster and more flexible	2016-07-04 10:23:30 -07:00
LICENSE	Fix text lint issues	2015-02-12 07:00:13 +11:00
NOTICE	Update Phabricator NOTICE file to reflect modern legal circumstances	2014-06-25 13:42:13 -07:00
README.md	Remove push to IRC from "readme.md" too	2015-10-24 18:39:16 -07:00

README.md

Phabricator is a collection of web applications which help software companies build better software.

Phabricator includes applications for:

reviewing and auditing source code;
hosting and browsing repositories;
tracking bugs;
managing projects;
conversing with team members;
assembling a party to venture forth;
writing stuff down and reading it later;
hiding stuff from coworkers; and
also some other things.

You can learn more about the project (and find links to documentation and resources) at Phabricator.org

Phabricator is developed and maintained by Phacility.

SUPPORT RESOURCES

For resources on filing bugs, requesting features, reporting security issues, and getting other kinds of support, see Support Resources.

NO PULL REQUESTS!

We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide.

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.