mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-18 21:02:41 +01:00
No description
e45ffda55a
Summary: - For context, see T547. This is the last (maybe?) in a series of diffs that moves us off raw sha1() calls in order to make it easier to audit the codebase for correct use of hash functions. - This breaks CSRF tokens. Any open forms will generate an error when submitted, so maybe upgrade off-peak. - We now generate HMAC mail keys but accept MAC or HMAC. In a few months, we can remove the MAC version. - The only remaining callsite is Conduit. We can't use HMAC since Arcanist would need to know the key. {T550} provides a better solution to this, anyway. Test Plan: - Verified CSRF tokens generate properly. - Manually changed CSRF to an incorrect value and got an error. - Verified mail generates with a new mail hash. - Verified Phabricator accepts both old and new mail hashes. - Verified Phabricator rejects bad mail hashes. - Checked user log, things look OK. Reviewers: btrahan, jungejason, benmathews Reviewed By: btrahan CC: aran, epriestley, btrahan Maniphest Tasks: T547 Differential Revision: 1237 |
||
|---|---|---|
| bin | ||
| conf | ||
| externals | ||
| resources | ||
| scripts | ||
| src | ||
| support/aphlict | ||
| webroot | ||
| .arcconfig | ||
| .divinerconfig | ||
| .gitignore | ||
| .gitmodules | ||
| README | ||
Phabricator is a open source collection of web applications which make it easier to write, review, and share source code. Phabricator was developed at Facebook. This is an early release. It's pretty high-quality and usable, but under active development so things may change quickly. You can learn more about the project and find links to documentation and resources at: http://phabricator.org/ LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted. http://www.apache.org/licenses/LICENSE-2.0