Page MenuHomePhorge
Create Task
Maniphest T15093

502 Bad Gateway error when attempting to view repo info
Closed, DuplicatePublic
Actions

Description

When trying to access rP/rARC via the Diffusion application, I receive the following error:

502 Bad Gateway
nginx/1.18.0 (Ubuntu)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/502

The HyperText Transfer Protocol (HTTP) 502 Bad Gateway server error response code indicates that the server, while acting as a gateway or proxy, received an invalid response from the upstream server.

I can access the most recent commit for each repo by clicking into the URL under the repo name (e.g., rP7d4357683a31). Is there a issue with permissions or underlying server configuration?

Direct URLs with 502 error:
https://we.phorge.it/source/phorge/
https://we.phorge.it/source/arcanist/

Related Objects

Event Timeline

dtf created this task.Apr 19 2022, 20:07
Herald added subscribers: Matthew, chris, speck, tobiaswiese. · View Herald TranscriptApr 19 2022, 20:07
dtf added a project: Diffusion (archived).Apr 19 2022, 20:08
Matthew edited projects, added Upstream General/Unknown; removed Diffusion (archived).Apr 19 2022, 21:00

Related to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation perhaps? Revisions are stored in the database that's why they're viewable, but the main repository page requires a call to git.

dtf added a comment.Apr 19 2022, 21:23

Hmm, possibly depending on how it's hosted? What I saw when that CVE was announced on a local instance and on secure. was like the below screenshot, where the repo page was still visible but file structure and recent commits were b0rked:

image.png (655×1 px, 97 KB)

chris added a comment.Apr 19 2022, 22:32

This is a direct result of T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation - confirmed in the Nginx error logs:

STDERR
fatal: unsafe repository ('/var/repo/1' is owned by someone else)
To add an exception for this directory, call:

        git config --global --add safe.directory /var/repo/1

since Diffusion is served by the www-data user, but repositories are owned by daemon-user, which phd runs under.

It looks like this should be resolved by cherry-picking rP3125d7a5f48d from the Phabricator upstream.

chris closed this task as a duplicate of T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation.Apr 19 2022, 22:32
dtf mentioned this in Z1: Phorge.May 19 2022, 21:33
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0