1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 15:22:41 +01:00
No description
Find a file
epriestley d3e700ce19 Further mitigate BREACH by reducing reflectiveness
Summary:
Ref T3684. The URI itself is reflected in a few places. It is generally not dangerous because we only let you add random stuff to the end of it for one or two controllers (e.g., the file download controller lets you add "/whatever.jpg"), but:

  - Remove it entirely in the main request, since it serves no purpose.
  - Remove query parameters in Ajax requests. These are available in DarkConsole proper.

Also mask a few things in the "Request" tab; I've never used these fields when debugging or during support, and they leak quasi-sensitive information that could get screenshotted or over-the-shoulder'd.

I didn't mitgate `__metablock__` because I think the threat is so close to 0 that it's not worthwhile.

Test Plan: Used Darkconsole, examined Requests tab.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3684

Differential Revision: https://secure.phabricator.com/D6699
2013-08-07 16:09:25 -07:00
bin Provide a more flexible script for administrative management of audits 2013-08-05 10:35:01 -07:00
conf Add a setup warning for port in mysql.host 2013-07-14 16:57:50 -07:00
externals Provide clearer syntax highlighting for phame posts. Including background colour, overflow scrolling and border. Also support for tt tag differentiation 2013-07-03 06:25:45 -07:00
resources Paste - add support for email replies and subscribers 2013-08-05 17:11:46 -07:00
scripts Provide a more flexible script for administrative management of audits 2013-08-05 10:35:01 -07:00
src Further mitigate BREACH by reducing reflectiveness 2013-08-07 16:09:25 -07:00
support Proof of concept mitigation of BREACH 2013-08-07 16:09:05 -07:00
webroot Update pinboard view styles, move to PHUI 2013-08-07 10:58:09 -07:00
.arcconfig Use JsShrink if jsxmin is not available 2013-05-18 17:04:22 -07:00
.divinerconfig Centralize rendering of application mail bodies 2012-07-16 19:01:43 -07:00
.editorconfig Specify config for text editors 2012-11-03 22:34:44 -07:00
.gitignore Ignore and README for support/bin 2013-04-03 12:58:39 -07:00
LICENSE Delete license headers from files 2012-11-05 11:16:51 -08:00
NOTICE Increment year. 2013-01-03 05:45:08 -08:00
README Update README 2013-07-03 12:08:37 -07:00

Phabricator is an open source collection of web applications which make it
easier to write, review, and share source code. Phabricator was developed at
Facebook.

It's pretty high-quality and usable, but under active development so things 
may change quickly.

You can learn more about the project and find links to documentation and
resources at: http://phabricator.org/

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.