To be fair, I wouldn't discount already needing access as a viable attack vector, even on private installations.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
May 28 2022
It sounds specific to people who already have access, thank you -- do very much need to pull in latest
The disclosed issue is that someone can gain access to Files objects they don't have access to by, for example, getting someone with permissions to edit a task they wrote (by including a reference to that file which gets "activated" when the person with permissions to view it saves the edit), which makes the file accessible via the task description.
Thanks -- Offhand do you know if this is related to login in that a malicious actor can gain access to source code when unpatched?
IMPORTANT: This release mitigates a severe security issue which allows attackers with few permission to gain access to files they can not otherwise see. All installs are strongly advised to upgrade.
FYI today's release (2022 week 21 stable) has a some pretty serious security content
May 21 2022
@dcog I think the differences with the Harbormaster changes are due to the different approach taken. We planned to do the approach which you took in D25036 which re-played the Phorge diffs on top of phabricator, however in D25040 I just did a merge of the phab/master branch into phorge/master where the Harbormaster changes already existed. Since upstream didn't modify the same Harbormaster files there were no conflicts and things merged appropriately. I did a sanity check of files changed on D25005 with the files changed on D25040.
Do we even have servers to run the tests on?
In T15094#2292, @speck wrote:I did not think we had Harbormaster set up to run unit tests - I think that involves configuring both Harbormaster and Drydock, and possibly Almanac which I don't think anyone has done.
I'll go back and review those Harbormaster file changes. Thanks for pointing that out!
In T15094#2281, @dcog wrote:This would be a legitimately good exercise to try and do "properly"... although, the thought of not doing it optimally can be a bit of a barrier to starting..
Given the edge cases outlined in T15094#2279, would there be cases in step 2 (or 1?) from T15094#2259 that might benefit from Git cherry-picking? @golyalpha, any thoughts on that? I nearly never have to use cherry-picking, or maybe I should, but either way I'm not very familiar with it other than I'm wondering if it may be relevant
After some reading I'm finding that, as far as I can tell, it's not designed to pick/integrate *specific lines* from a diff, but rather a specific whole commit (from any local or remote branch most likely).. if I'm understanding it correctly
But, perhaps, it could still have the same effect as removing lines from one, and keeping lines from the other when grabbing specific whole commits
The more I think about this the more I'm confusing myself, but hopefully some fraction of this makes sense
I did not think we had Harbormaster set up to run unit tests - I think that involves configuring both Harbormaster and Drydock, and possibly Almanac which I don't think anyone has done.
I would think that your method produced the results we want... though I was noticing this:
I see it looks Harbormaster itself does the testing?
My vote is that if tests pass we go ahead and do the thing.... More changes in upstream seems fine, and moving forward if we keep up it should get easier and easier hopefully
Oh nice!!
Though it does appear additional work has been landing upstream today
Any concerns about landing those changes? Once I land I'll see about updating this instance which should make accessing the repositories possible again.
May 20 2022
Merged the arcanist repository in D25039
May 17 2022
This would be a legitimately good exercise to try and do "properly"... although, the thought of not doing it optimally can be a bit of a barrier to starting..
Here is one thing I noticed... In at least a couple of the files, there may be changes that:
May 12 2022
If we merge, a force-push should not be required - unless you mean something other than standard git merge here. (Force-push is required when rewriting already pushed history - git merge simply adds a new commit that applies the changes on top of the branch)
May 3 2022
It looks like upstream has issued a number of updates which we'll want to pull in. From {E4} we discussed doing the following:
Apr 28 2022
Evan recently landed a boatload of changes to address this under https://secure.phabricator.com/T13658
Apr 20 2022
As of right now, we have made no changes to the database and other "internals" - our work has been focused on rebranding as "Phabricator" is a trademarked name. For this reason, a rough migration path would be to check out the master branch of rP, copy the config directory from Phabricator to Phorge, and then point Phorge to your Phabricator database. I have tested it myself locally and it appears to work, however; if you have any issues feel free to ask a question on Ponder here and we can get back to you!
We are now at a decision point where we either install Phorge from Scratch or migrate Phabricator to Phorge.
Created {D25036}
Apr 5 2022
As discussed in {E2}, we might add temporary banners to Diviner to state that we are rebranding. This would allow some time for us to handle the code rebrand and address the underlying Diviner issues before we edit everything twice.
In T15012#1283, @MacFan4000 wrote:I will note that also the tech docs aren’t fully generated since there should be docs for most of the phorge/phabricator classes. Also the arcanist docs aren’t generated at all.
Apr 4 2022
Alright, I've just went through a similar process - they apparently have changed their process a little but there still is a form to fill out: https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3 (you need a Microsoft Account to fill it out, but they'll contact you on the contact email you give in the form)
Mar 29 2022
Since all changes are going to be submitted to the upstream prior to landing here in Phorge it would be easiest if changes were made to a clone of Phabricator and not a clone of Phorge.
As part of {E1} we reviewed this as a priority item, and have created T15077: Rebrand: Tracking task for concrete first steps forwards. There is a lot of text to update and review and that task is setup with instructions on how we're approaching it as well as listing out all the individual applications to update. Anyone interested in assisting please review that task and feel free to put your name on an application/folder, as well as ask any questions for clarification.
I put up some coding guidelines that I could recall from when I was working with upstream on example changes. I won't be back at my home office for another week so there may be some things I'm missing but I think a number of things were covered/discussed with Evan on the example changes in https://secure.phabricator.com/D21712.
Mar 22 2022
Mar 21 2022
Mar 16 2022
I had experience with emails from my self-hosted mailserver not reaching Microsoft-hosted mailboxes. As far as I remember, their SMTP replies to "suspicious" mail servers with a message that includes a link to some sort of a form which the mail admin should fill out. That worked for me - might need to dig through the server logs to see the link though.
Mar 14 2022
@20after4 per commits like https://secure.phabricator.com/D9202 the changes were abandoned - there is no MediaWiki auth provider in core
@MacFan4000 the mediawiki auth is in core afaik. There is some custom stuff for the wikimedia ldap setup but the oauth part was merged upstream ages ago.
Mar 2 2022
Yeah if that RFC passes then that would make things way easier. And yes I used sed for a lot of the changes.
This patch suppresses the deprecation errors at each site, but there might be a simpler workaround in the same spirit: change the error_reporting calls (of which there are only a handful) to exclude E_DEPRECATED. That would risk masking any other deprecations (probably fine in production, but not in development), whereas this patch risks hiding any non-deprecation errors at these locations.
Mar 1 2022
I've been think about what to do with this for a while, and I have to say, it's a hard one.
Feb 1 2022
Jan 27 2022
Hey, folks -- appreciate the interest! Most of what needs doing still is outlined in T15006: Re-brand Phorge (and to a lesser extent in T15012: Update Diviner documentation to reference Phorge). There's not a ton there that's hugely difficult, there's just a lot and it's mostly tedious. Any help on anything in that list would be immensely appreciated. I have a bit more bandwidth now than I did towards the end of last year, so I can probably start making some headway on the rebrand as well now.
Jan 25 2022
^ Likewise! It'd be helpful to get an update on any progress (e.g. getting this into GitHub) and on any things that need doing/things we can get involved with to help. Thanks!
oh, wow. 8.1 breakage are massive - and I'm guessing more such breaking changes would creep in in next versions?
Hey, is anything still going on with this? Having just discovered Phabricator I'd hate to see it die :/
Dec 13 2021
Dec 10 2021
501(c)(3) is extremely easy to set up.
Dec 9 2021
The fixes mentioned there would take a long time to implement, as things like strlen() are used in 900+ files.
Evan just posted some comments regarding 8.1 compatibility (as well as building PHP binary to ship with Arcanist, for Mac systems at least)
https://secure.phabricator.com/T13588#256390
In T15064#1705, @jeremy.norris wrote:There were more upstream changes made a week ago, https://secure.phabricator.com/w/changelog/2021.49/, that included improved PHP8 compatibility...
That'll be changes for PHP 8.0 compatibility, but that's not the same as PHP 8.1 compatibility.
There were more upstream changes made a week ago, https://secure.phabricator.com/w/changelog/2021.49/, that included improved PHP8 compatibility...
In T15064#1703, @jeremy.norris wrote:Wouldn't a massive changeset like this greatly increase difficulty of performing future merges of upstream (secure.phabricator.com)?
Wouldn't a massive changeset like this greatly increase difficulty of performing future merges of upstream (secure.phabricator.com)?
Well, there are inconsistencies. For example, subscribers are called "spies" in the task overview, but "subscribers" in the task history, and "spies" again in task actions.
Dec 7 2021
I have submitted patches to fix most of the issues. The following issues still remain.
Dec 5 2021
Once the rebranding is complete we can send updated strings to translatewiki so that everything remains in sync.
Dec 4 2021
Dec 3 2021
Here is the commit that introduced this
In T15055#1426, @speck wrote:The effort to rebrand Phabricator is going to result in changes to a lot of text which would likely invalidate a large number of translation entries.
It is not very clear to understand where the problem is and how to try to help improve it. I am not familiar with Pirate English. Other than adding "Arrr." I mean.
Dec 2 2021
In T15059#1654, @speck wrote:I just checked the emails I receive to my gmail account and noticed that the emails seem to be from the secure.phorge.dev domain. Should those be received from we.phorge.it instead? I was in the process of filling out an issue form for Microsoft and noticed this discrepancy. Could that cause issues like this?
In T15059#1654, @speck wrote:I just checked the emails I receive to my gmail account and noticed that the emails seem to be from the secure.phorge.dev domain. Should those be received from we.phorge.it instead? I was in the process of filling out an issue form for Microsoft and noticed this discrepancy. Could that cause issues like this?
I just checked the emails I receive to my gmail account and noticed that the emails seem to be from the secure.phorge.dev domain. Should those be received from we.phorge.it instead? I was in the process of filling out an issue form for Microsoft and noticed this discrepancy. Could that cause issues like this?
Dec 1 2021
I noticed this recently too. These PHP 8 updates have been frustrating because it breaks Arcanist for users as well...
A few months back this story came up on hackernews which seems relevant. There might be things in there we can attempt to appeal to Microsoft to allow emails from this Phorge instance to go through
After making lots of changes in my clone to suppress deprecation warnings, I am stuck at the following error.
[Wed Dec 01 16:06:24.853494 2021] [proxy_fcgi:error] [pid 2472770:tid 139879417599744] [client <REDACTED>] AH01071: Got error 'PHP message: [2021-12-01 16:06:24] EXCEPTION: (Exception) Bad getter call: getPreferences at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:1620]
PHP message: arcanist(head=master, ref.master=c53bb21bbd3e), phabricator(head=master, ref.master=4448a93a4067), testwiki-ext-misc(head=master, ref.master=c12e85d3a97a)
PHP message: #0 <#2> LiskDAO::call(string, array) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:1598]
PHP message: #1 <#2> LiskDAO::call(string, array) called at [<phabricator>/src/applications/people/storage/PhabricatorUser.php:446]
PHP message: #2 <#2> PhabricatorUser::loadGlobalSettings() called at [<phabricator>/src/applications/people/storage/PhabricatorUser.php:377]
PHP message: #3 <#2> PhabricatorUser::getUserSetting(string) called at [<phabricator>/src/applications/people/storage/PhabricatorUser.php:428]
PHP message: #4 <#2> PhabricatorUser::getTranslation() called at [<phabricator>/src/applications/auth/engine/PhabricatorAuthSessionEngine.php:1127]
PHP message: #5 <#2> PhabricatorAuthSessionEngine::willServeRequestForUser(PhabricatorUser) called at [<phabricator>/src/applications/base/controller/PhabricatorController.php:109]
PHP message: #6 <#2> PhabricatorController::willBeginExecution() called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:271]
PHP message: #7 phlog(Exception) called at [<phabricator>/src/aphront/handler/PhabricatorDefaultRequestExceptionHandler.php:41]
PHP message: #8 PhabricatorDefaultRequestExceptionHandler::handleRequestThrowable(AphrontRequest, Exception) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:751]
PHP message: #9 AphrontApplicationConfiguration::handleThrowable(Exception) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:296]
PHP message: #10 AphrontApplicationConfiguration::processRequest(AphrontRequest, PhutilDeferredLog, AphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:204]
PHP message Log, AphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:204]
PHP messaghutilDeferredLog, AphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:204]PHP messaguration.php:204]
PHP messaglicationConfiguration.php:204]PHP messagont/configuration/AphrontApplicationConfiguration.php:204]
PHP messagd at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:204]
PHP message aphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:204]
PHP message: #11 AphrontApplicationConfiguration::runHTTPRequest(AphrontPHPHTTPSink) called at [<phabricator>/webroot/index.php:35]PHP message: [2021-12-01 16:06:24] EXCEPTION: (PhutilAggregateException) Encountered a processing exception, then another exception when trying to build a response for the first exception.\n - Exception: Bad setter call: setUserPHID\n - Exception: Bad getter call: getPreferences at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:316]
PHP message: arcanist(head=master, ref.master=c53bb21bbd3e), phabricator(head=master, ref.master=4448a93a4067), testwiki-ext-misc(head=master, ref.master=c12e85d3a97a)
PHP message: #0 <#4> LiskDAO::call(string, array) called at [<phabricator>/src/applications/people/storage/PhabricatorUser.php:446]
PHP message: #1 <#4> PhabricatorUser::loadGlobalSettings() called at [<phabricator>/src/applications/people/storage/PhabricatorUser.php:377]
PHP message: #2 <#4> PhabricatorUser::getUserSetting(string) called at [<phabricator>/src/applications/people/storage/PhabricatorUser.php:428]
PHP message: #3 <#4> PhabricatorUser::getTranslation() called at [<phabricator>/src/applications/auth/engine/PhabricatorAuthSessionEngine.php:1127]
PHP message: #4 <#4> PhabricatorAuthSessionEngine::willServeRequestForUser(PhabricatorUser) called at [<phabricator>/src/applications/base/controller/PhabricatorController.php:109]
PHP message: #5 <#4> PhabricatorController::willBeginExecution() called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:271]
PHP message: #6 <#3> LiskDAO::call(string, array) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:1598]
PHP message: #7 <#3> LiskDAO::__call(string, array) called at [<phabricator>/src/applications/search/engine/PhabricatorApplicationSearchEngine.php:666]PHP message: #8 <#3> PhabricatorApplicationSearchEngine::getBuiltinQueries() called at [<phabricator>/src/applications/search/engine/PhabricatorApplicationSearchEngine.php:500]
PHP message: #9 <#3> PhabricatorApplicationSearchEngine::loadAllNamedQueries() called at [<phabricator>/src/applications/search/engine/PhabricatorApplicationSearchEngine.php:537]
PHP message: #10 <#3> PhabricatorApplicationSearchEngine::loadEnabledNamedQueries() called at [<phabricator>/src/view/page/menu/PhabricatorMainMenuSearchView.php:157]
PHP message: #11 <#3> PhabricatorMainMenuSearchView::getGlobalSearchScopeItems(PhabricatorUser, PhabricatorFlagsApplication) called at [<phabricator>/src/view/page/menu/PhabricatorMainMenuSearchView.php:205]
PHP message: #12 <#3> PhabricatorMainMenuSearchView::buildModeSelector(string, string) called at [<phabricator>/src/view/page/menu/PhabricatorMainMenuSearchView.php:89]
PHP message: #13 <#3> javelin_tag(string, array, array) called at [<phabricator>/src/view/phui/PHUIListItemView.php:426]
PHP message: #14 <#3> phutil_tag(string, array, array) called at [<phabricator>/src/infrastructure/javelin/markup.php:70]
PHP message: #15 <#3> javelin_tag(string, array, array) called at [<phabricator>/src/view/AphrontTagView.php:161]
PHP message: #16 <#3> AphrontTagView::render() called at [<phabricator>/src/view/AphrontView.php:222]
PHP message: #17 <#3> AphrontView::producePhutilSafeHTML() called at [<phabricator>/src/infrastructure/markup/render.php:111]
PHP message: #18 <#3> phutil_escape_html(PHUIListView) called at [<phabricator>/src/infrastructure/markup/render.php:135]
PHP message: #19 <#3> phutil_escape_html(array) called at [<phabricator>/src/infrastructure/markup/render.php:97]
PHP message: #20 <#3> phutil_tag(string, array, array) called at [<phabricator>/src/view/page/menu/PhabricatorMainMenuView.php:168]
PHP message: #21 <#3> PhabricatorMainMenuView::render() called at [<phabricator>/src/view/page/PhabricatorStandardPageView.php:374]
PHP message: #22 <#3> PhabricatorStandardPageView::willRenderPage() called at [<phabricator>/src/view/page/AphrontPageView.php:46]
PHP message: #23 <#3> AphrontPageView::render() called at [<phabricator>/src/applications/base/controller/PhabricatorController.php:286]
PHP message: #24 <#3> PhabricatorController::willSendResponse(AphrontDialogResponse) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:300]
PHP message: #25 <#2> AphrontApplicationConfiguration::processRequest(AphrontRequest, PhutilDeferredLog, AphrontPHPHTTPSink, MultimeterControl) called at [<phabricator>/src/aphront/configuration/AphrontApplicationConfiguration.php:204]
PHP message: #26 <#2> AphrontApplicationConfiguration::runHTTPRequest(AphrontPHPHTTPSink) called at [<phabricator>/webroot/index.php:35]
PHP message: #27 phlog(PhutilAggregateException) called at [<phabricator>/src/aphront/response/AphrontUnhandledExceptionResponse.php:32]
PHP message: #28 AphrontUnhandledExceptionResponse::setException(PhutilAggregateException) called at [<phabricator>/webroot/index.php:46]'
Nov 30 2021
Nov 29 2021
Nov 28 2021
Nov 3 2021
Nov 2 2021
We had a similar issue with Microsoft email on our own custom mail server. Microsoft delivers mail for several domains from the same email service, so this similarly affects email from outlook.com, hotmail.com, live.com and msn.com. See https://postmaster.live.com/pm/policies.aspx for details.
This is likely related more to the configuration of the email server. Outlook is very picky, and as far as I know, checks the headers for all of the following:
Oct 31 2021
I can confirm as well that I have never received an email from phorge / phabricator on my email which isn't "outlook.com" but is an office 365 email account
Oct 30 2021
Do you have any additional repro steps? Mail config will be specific to the Phab/Phorge install. If this is specific to our Phorge installation, yeah... it's sucky. We self-host our email server and that means we're subject to all of the arcane and mystic requirements there. As far as we can tell, it's set up as correctly as is possible (SPF, DKIM, DMARC all configured correctly; domain is old enough that it doesn't negatively impact our trust scores; etc.). (A current spam test result for reference.)
@valerio.bozzolan Fancy seeing you here. I'm Void from your phabricator instance.