mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-23 15:22:41 +01:00
No description
d3e700ce19
Summary: Ref T3684. The URI itself is reflected in a few places. It is generally not dangerous because we only let you add random stuff to the end of it for one or two controllers (e.g., the file download controller lets you add "/whatever.jpg"), but: - Remove it entirely in the main request, since it serves no purpose. - Remove query parameters in Ajax requests. These are available in DarkConsole proper. Also mask a few things in the "Request" tab; I've never used these fields when debugging or during support, and they leak quasi-sensitive information that could get screenshotted or over-the-shoulder'd. I didn't mitgate `__metablock__` because I think the threat is so close to 0 that it's not worthwhile. Test Plan: Used Darkconsole, examined Requests tab. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3684 Differential Revision: https://secure.phabricator.com/D6699 |
||
|---|---|---|
| bin | ||
| conf | ||
| externals | ||
| resources | ||
| scripts | ||
| src | ||
| support | ||
| webroot | ||
| .arcconfig | ||
| .divinerconfig | ||
| .editorconfig | ||
| .gitignore | ||
| LICENSE | ||
| NOTICE | ||
| README | ||
Phabricator is an open source collection of web applications which make it easier to write, review, and share source code. Phabricator was developed at Facebook. It's pretty high-quality and usable, but under active development so things may change quickly. You can learn more about the project and find links to documentation and resources at: http://phabricator.org/ LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted.