Page MenuHomePhorge

Pull security fixes from Mozilla's fork
OpenPublic

Asked by l2dy on Nov 6 2023, 13:20.

Details

Mozilla's Phabricator fork addressed three vulnerabilities recently. We may want to merge some of their changes: https://github.com/mozilla-conduit/phabricator/commits/master/

  1. D25464 Stored XSS via PDF files. https://github.com/mozilla-conduit/phabricator/commit/5ec132bf9ebfb90558f1b7f646772176629f86d0

Further reading about this kind of vulnerability: https://github.com/jonaslejon/malicious-pdf

  1. T15665 "Possible XSS when downloading raw diffs from a revision" https://github.com/mozilla-conduit/phabricator/commit/d8bb7d91b7d219902afed1ae7a8ae5e33862a842

I haven't figured out how it works yet. We have explicitly set MIME type to text/plain and special characters in filename are escaped or replaced with _ in generated URLs. Will investigate further if they make their bug report open to public. https://bugzilla.mozilla.org/show_bug.cgi?id=1849193

  1. T15663 Profile transformation on private files makes it publicly accessible

Answers

valerio.bozzolan
Updated 406 Days Ago

Short answer! Yes, thanks!

To do that, I can suggest to just pull our Phorge, enter in our master, fetch also from Mozilla, and cherry-pick a commit from Mozilla, and propose that patch in Phorge. And we can review it together as usual.

For some reasons Phorge is quite active and there are big possibilities to have your work approved here, as you can see from this history:

https://we.phorge.it/differential/query/all/

(P.S. You are now a Trusted Contributors - thanks for your question and feel free to elevate these thing to Tasks under Security, so you don't need to create Questions anymore)

New Answer