Page MenuHomePhorge

502 Bad Gateway error when attempting to view repo info
Closed, DuplicatePublic


When trying to access rP/rARC via the Diffusion application, I receive the following error:

502 Bad Gateway
nginx/1.18.0 (Ubuntu)

The HyperText Transfer Protocol (HTTP) 502 Bad Gateway server error response code indicates that the server, while acting as a gateway or proxy, received an invalid response from the upstream server.

I can access the most recent commit for each repo by clicking into the URL under the repo name (e.g., rP7d4357683a31). Is there a issue with permissions or underlying server configuration?

Direct URLs with 502 error:

Event Timeline

Related to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation perhaps? Revisions are stored in the database that's why they're viewable, but the main repository page requires a call to git.

Hmm, possibly depending on how it's hosted? What I saw when that CVE was announced on a local instance and on secure. was like the below screenshot, where the repo page was still visible but file structure and recent commits were b0rked:

image.png (655×1 px, 97 KB)

This is a direct result of T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation - confirmed in the Nginx error logs:

fatal: unsafe repository ('/var/repo/1' is owned by someone else)
To add an exception for this directory, call:

        git config --global --add /var/repo/1

since Diffusion is served by the www-data user, but repositories are owned by daemon-user, which phd runs under.

It looks like this should be resolved by cherry-picking rP3125d7a5f48d from the Phabricator upstream.