Page MenuHomePhorge
Feed All Stories

Today

roguelazer closed T15099: Bugs in 2022 Week 21 Stable as Resolved.

epriestly pushed basically-identical but cleaner fixes for these in https://secure.phabricator.com/D21849

Sat, May 28, 15:10
golyalpha added a comment to T15094: Catch up the master branch to upstream.

To be fair, I wouldn't discount already needing access as a viable attack vector, even on private installations.

Sat, May 28, 06:38 · Trusted Contributors, Phorge
dcog added a comment to T15094: Catch up the master branch to upstream.

It sounds specific to people who already have access, thank you -- do very much need to pull in latest

Sat, May 28, 06:32 · Trusted Contributors, Phorge
golyalpha added a comment to T15094: Catch up the master branch to upstream.

The disclosed issue is that someone can gain access to Files objects they don't have access to by, for example, getting someone with permissions to edit a task they wrote (by including a reference to that file which gets "activated" when the person with permissions to view it saves the edit), which makes the file accessible via the task description.

Sat, May 28, 06:19 · Trusted Contributors, Phorge
dcog added a comment to T15094: Catch up the master branch to upstream.

Thanks -- Offhand do you know if this is related to login in that a malicious actor can gain access unpatched?

Sat, May 28, 06:11 · Trusted Contributors, Phorge
golyalpha added a comment to T15094: Catch up the master branch to upstream.

Upstream-T13683

IMPORTANT: This release mitigates a severe security issue which allows attackers with few permission to gain access to files they can not otherwise see. All installs are strongly advised to upgrade.
Sat, May 28, 05:10 · Trusted Contributors, Phorge
roguelazer created T15099: Bugs in 2022 Week 21 Stable.
Sat, May 28, 00:15
roguelazer added a comment to T15094: Catch up the master branch to upstream.

FYI today's release (2022 week 21 stable) has a some pretty serious security content

Sat, May 28, 00:12 · Trusted Contributors, Phorge

Sun, May 22

0 requested changes to D25038: Add Status, sequence and isDefault to the conduit api results for column.search.
Sun, May 22, 19:22

Sat, May 21

speck added a comment to T15094: Catch up the master branch to upstream.

@dcog I think the differences with the Harbormaster changes are due to the different approach taken. We planned to do the approach which you took in D25036 which re-played the Phorge diffs on top of phabricator, however in D25040 I just did a merge of the phab/master branch into phorge/master where the Harbormaster changes already existed. Since upstream didn't modify the same Harbormaster files there were no conflicts and things merged appropriately. I did a sanity check of files changed on D25005 with the files changed on D25040.

Sat, May 21, 17:06 · Trusted Contributors, Phorge
speck added a comment to T15094: Catch up the master branch to upstream.

Do we even have servers to run the tests on?

Sat, May 21, 16:56 · Trusted Contributors, Phorge
speck updated the summary of D25039: merge phab/master -> phorge/master.
Sat, May 21, 16:43
speck added a revision to T15094: Catch up the master branch to upstream: D25039: merge phab/master -> phorge/master.
Sat, May 21, 16:43 · Trusted Contributors, Phorge
speck added a revision to T15094: Catch up the master branch to upstream: D25040: merge phab/master -> phorge/master.
Sat, May 21, 16:43 · Trusted Contributors, Phorge
speck updated the summary of D25040: merge phab/master -> phorge/master.
Sat, May 21, 16:43
golyalpha added a comment to T15094: Catch up the master branch to upstream.
In T15094#2292, @speck wrote:

I did not think we had Harbormaster set up to run unit tests - I think that involves configuring both Harbormaster and Drydock, and possibly Almanac which I don't think anyone has done.

I'll go back and review those Harbormaster file changes. Thanks for pointing that out!

Sat, May 21, 16:40 · Trusted Contributors, Phorge
golyalpha added a comment to T15094: Catch up the master branch to upstream.
In T15094#2281, @dcog wrote:

This would be a legitimately good exercise to try and do "properly"... although, the thought of not doing it optimally can be a bit of a barrier to starting..

Given the edge cases outlined in T15094#2279, would there be cases in step 2 (or 1?) from T15094#2259 that might benefit from Git cherry-picking? @golyalpha, any thoughts on that? I nearly never have to use cherry-picking, or maybe I should, but either way I'm not very familiar with it other than I'm wondering if it may be relevant

After some reading I'm finding that, as far as I can tell, it's not designed to pick/integrate *specific lines* from a diff, but rather a specific whole commit (from any local or remote branch most likely).. if I'm understanding it correctly

But, perhaps, it could still have the same effect as removing lines from one, and keeping lines from the other when grabbing specific whole commits

The more I think about this the more I'm confusing myself, but hopefully some fraction of this makes sense

Sat, May 21, 16:37 · Trusted Contributors, Phorge
speck added a comment to T15094: Catch up the master branch to upstream.

I did not think we had Harbormaster set up to run unit tests - I think that involves configuring both Harbormaster and Drydock, and possibly Almanac which I don't think anyone has done.

Sat, May 21, 16:24 · Trusted Contributors, Phorge
dcog added a comment to T15094: Catch up the master branch to upstream.

I would think that your method produced the results we want... though I was noticing this:

Sat, May 21, 15:34 · Trusted Contributors, Phorge
dcog awarded D25039: merge phab/master -> phorge/master a Party Time token.
Sat, May 21, 15:23
dcog awarded D25040: merge phab/master -> phorge/master a Party Time token.
Sat, May 21, 15:23
dcog added a comment to T15094: Catch up the master branch to upstream.

I see it looks Harbormaster itself does the testing?

Sat, May 21, 15:21 · Trusted Contributors, Phorge
dcog added a comment to T15094: Catch up the master branch to upstream.

My vote is that if tests pass we go ahead and do the thing.... More changes in upstream seems fine, and moving forward if we keep up it should get easier and easier hopefully

Sat, May 21, 15:18 · Trusted Contributors, Phorge
dcog added a comment to T15094: Catch up the master branch to upstream.

Oh nice!!

Sat, May 21, 15:17 · Trusted Contributors, Phorge
dcog added a comment to T15094: Catch up the master branch to upstream.
Sat, May 21, 15:15 · Trusted Contributors, Phorge
speck added a comment to T15094: Catch up the master branch to upstream.

Though it does appear additional work has been landing upstream today

Sat, May 21, 00:52 · Trusted Contributors, Phorge
speck added a comment to T15094: Catch up the master branch to upstream.

Any concerns about landing those changes? Once I land I'll see about updating this instance which should make accessing the repositories possible again.

Sat, May 21, 00:45 · Trusted Contributors, Phorge

Fri, May 20

speck added a comment to D25040: merge phab/master -> phorge/master.

I had to skip unit tests because phabricator/phorge unit tests require a local database to test against which I don't have setup. The lint failures are either pre-existing TODO's being flagged or the newest lint which catches product name literals. We should fix the literals but I don't want to fix that as part of the merge -- would rather do that in a separate change.

Fri, May 20, 03:09
speck added a comment to D25039: merge phab/master -> phorge/master.

Unit tests all pass. For the two lint errors, one is erroneous checking characters used in a non-code file, the other is pre-existing and fine to leave alone.

Fri, May 20, 03:07
speck added a comment to T15094: Catch up the master branch to upstream.

Merged the arcanist repository in D25039

Fri, May 20, 03:06 · Trusted Contributors, Phorge
speck requested review of D25040: merge phab/master -> phorge/master.
Fri, May 20, 03:05
speck updated the summary of D25039: merge phab/master -> phorge/master.
Fri, May 20, 02:54
speck requested review of D25039: merge phab/master -> phorge/master.
Fri, May 20, 02:50

Thu, May 19

peer updated peer.
Thu, May 19, 06:36

Wed, May 18

dtf added a member for Maniphest: dtf.
Wed, May 18, 18:54

Tue, May 17

dcog added a comment to T15094: Catch up the master branch to upstream.

This would be a legitimately good exercise to try and do "properly"... although, the thought of not doing it optimally can be a bit of a barrier to starting..

Tue, May 17, 19:51 · Trusted Contributors, Phorge
dcog edited the content of 2022-05-17.
Tue, May 17, 19:34
dcog updated subscribers of 2022-05-17.

@dtf Pointed out that this thread on secure is highly relevant:

Tue, May 17, 19:30
dcog added a comment to 2022-05-17.

Thinking that based on the first item in (2) Rebrand here: https://we.phorge.it/w/planning_meetings/2022-05-03/#agenda-items-and-notes

Tue, May 17, 19:22
dcog added a comment to T15094: Catch up the master branch to upstream.

Here is one thing I noticed... In at least a couple of the files, there may be changes that:

Tue, May 17, 19:21 · Trusted Contributors, Phorge
dcog added a comment to 2022-04-05.

Referencing a comment from the earlier document:

Tue, May 17, 19:05

Mon, May 16

Higgs added a comment to T15098: Disabled required fields in subtypes should neither block creation of a task nor be displayed in the frontend.

I inspected the code in some detail and i figured out how to get the default value of a custom field. In a first attempt to solve my issue i tried to only show a field value in the property list of a Task if its value differs from the field default value but this does not work because i can not get the current field value this way:

Mon, May 16, 06:56

Sat, May 14

20after4 awarded T15098: Disabled required fields in subtypes should neither block creation of a task nor be displayed in the frontend a Like token.
Sat, May 14, 16:26

Fri, May 13

sau226 added a comment to T15037: Should we support oauth login via github/google/etc?.

@speck I saw you commented earlier about this and am not sure if this was something you managed to do, or if you wanted someone else to handle the task?

Fri, May 13, 16:32 · Auth

Thu, May 12

golyalpha added a comment to T15094: Catch up the master branch to upstream.

If we merge, a force-push should not be required - unless you mean something other than standard git merge here.

Thu, May 12, 06:19 · Trusted Contributors, Phorge

Wed, May 11

Higgs updated the task description for T15098: Disabled required fields in subtypes should neither block creation of a task nor be displayed in the frontend.
Wed, May 11, 15:03
Higgs created T15098: Disabled required fields in subtypes should neither block creation of a task nor be displayed in the frontend.
Wed, May 11, 14:58

Tue, May 3

Matthew edited the content of 2022-05-03.
Tue, May 3, 19:56
Matthew edited the content of 2022-05-17.
Tue, May 3, 19:37
Matthew renamed 2022-04-05 from 2022-05-05 to 2022-04-05.
Tue, May 3, 19:33
Matthew edited the content of 2022-05-03.
Tue, May 3, 19:33
avivey edited the content of 2022-05-03.
Tue, May 3, 19:21
speck added a comment to T15094: Catch up the master branch to upstream.

It looks like upstream has issued a number of updates which we'll want to pull in. From {E4} we discussed doing the following:

Tue, May 3, 19:20 · Trusted Contributors, Phorge
Matthew edited the content of 2022-05-03.
Tue, May 3, 19:20
Matthew added a comment to T15095: Setup an announcements blog with Phame.

Set up two blogs: Security Announcements and a Release Announcements.

Tue, May 3, 19:13 · Phorge Upstream
Matthew claimed T15095: Setup an announcements blog with Phame.
Tue, May 3, 19:13 · Phorge Upstream
Matthew created an object: 2022-05-17.
Tue, May 3, 19:02
Matthew edited the content of Planning Meetings.
Tue, May 3, 19:02
Matthew edited the content of 2022-05-03.
Tue, May 3, 19:01
Matthew edited the content of Planning Meetings.
Tue, May 3, 18:57
Matthew renamed 2022-03-21 from March 21, 2022 to 2022-03-21.
Tue, May 3, 18:56
Matthew renamed 2022-05-05 from April 5, 2022 to 2022-05-05.
Tue, May 3, 18:55
Matthew renamed 2022-04-19 from April 19, 2022 to 2022-04-19.
Tue, May 3, 18:55
Matthew renamed 2022-05-03 from May 3, 2022 to 2022-05-03.
Tue, May 3, 18:54
mandarg updated mandarg.
Tue, May 3, 15:56
roguelazer created T15097: arc land when using submodules with squash strategy does not like the submodule.recurse git option.
Tue, May 3, 00:35

Mon, May 2

roguelazer created P4 terrible-recurse-hack.
Mon, May 2, 20:04

Sun, May 1

20after4 added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
In T15096#2233, @speck wrote:

Thank you for these write-ups, I'll need more time to review however I noticed Evan recently started a task in the upstream where it looks like he's investigating compiling PHP to a library for use with a custom native entrypoint which would allow distributing arcanist as a single binary (he estimates ~10mb in size).
https://secure.phabricator.com/T13675

Sun, May 1, 21:38 · Phorge General/Unknown, Arcanist
20after4 updated the task description for T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
Sun, May 1, 21:28 · Phorge General/Unknown, Arcanist

Sat, Apr 30

eax added a comment to T15048: Allow awarding Tokens to individual Comments.

Does anyone else feel that this is not a good idea? Seems like the consensus here is that it's at least acceptable if not desirable to have.

Sat, Apr 30, 16:37 · Tokens

Apr 28 2022

speck added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..

Thank you for these write-ups, I'll need more time to review however I noticed Evan recently started a task in the upstream where it looks like he's investigating compiling PHP to a library for use with a custom native entrypoint which would allow distributing arcanist as a single binary (he estimates ~10mb in size).
https://secure.phabricator.com/T13675

Apr 28 2022, 14:28 · Phorge General/Unknown, Arcanist
speck added a comment to T15077: Rebrand: Tracking task.

Evan recently landed a boatload of changes to address this under https://secure.phabricator.com/T13658

Apr 28 2022, 14:21 · Phorge
micax added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..

Definitely agree that the effort to set up arcanist isn't huge. And at my current work, it's baked into our common Dev PC setup, so it's almost zero effort. But there is an effort, and a dev/user who is just passing by to fix a typo or suggest a one-line change in some code isn't going to be willing to do that effort.

Apr 28 2022, 07:04 · Phorge General/Unknown, Arcanist

Apr 27 2022

20after4 added a comment to D25021: Added cross-platform default fonts.

This seems sensible to me, FWIW

Apr 27 2022, 15:59
20after4 added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..

@micax: Good points and it's helpful to hear another perspective on this. From my past experience using Phabricator on a corporate team I definitely think that arcanist helped keep everyone's workflow consistent and simple.

Apr 27 2022, 15:54 · Phorge General/Unknown, Arcanist
micax added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..

I find this rather interesting (and a little bit weird, to some extent), because IMO the arcanist command line tool is one of the things which IMO _add_ value to Phabricator and sets it apart from it's alternatives.

Apr 27 2022, 12:30 · Phorge General/Unknown, Arcanist

Apr 25 2022

20after4 edited the content of April 19, 2022.
Apr 25 2022, 07:42 · Governance
20after4 created T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
Apr 25 2022, 07:39 · Phorge General/Unknown, Arcanist
hof updated hof.
Apr 25 2022, 07:09

Apr 24 2022

20after4 awarded D25034: support language highlighting for GFM-style code blocks a Mountain of Wealth token.
Apr 24 2022, 18:50
20after4 added Q11: upgrade phabricator to phorge (Answer 3).
Apr 24 2022, 18:45
20after4 added a task to D25037: Hide the "hidden" fields on custom form previews: T15081: Figure out if there are patches from Wikimedia's fork that are desirable to upstream in Phorge.
Apr 24 2022, 18:39
20after4 added a task to D25038: Add Status, sequence and isDefault to the conduit api results for column.search: T15081: Figure out if there are patches from Wikimedia's fork that are desirable to upstream in Phorge.
Apr 24 2022, 18:39
20after4 added revisions to T15081: Figure out if there are patches from Wikimedia's fork that are desirable to upstream in Phorge: D25038: Add Status, sequence and isDefault to the conduit api results for column.search, D25037: Hide the "hidden" fields on custom form previews.
Apr 24 2022, 18:39 · Phorge Upstream
20after4 updated the diff for D25038: Add Status, sequence and isDefault to the conduit api results for column.search.

Fix line length

Apr 24 2022, 18:36
20after4 retitled D25038: Add Status, sequence and isDefault to the conduit api results for column.search from Add column sequence to the conduit api results for column.search to Add Status, sequence and isDefault to the conduit api results for column.search.
Apr 24 2022, 18:34
20after4 updated the diff for D25038: Add Status, sequence and isDefault to the conduit api results for column.search.

celerity map

Apr 24 2022, 18:30
20after4 requested review of D25038: Add Status, sequence and isDefault to the conduit api results for column.search.
Apr 24 2022, 18:29
20after4 requested review of D25037: Hide the "hidden" fields on custom form previews.
Apr 24 2022, 18:19
20after4 added a comment to T15048: Allow awarding Tokens to individual Comments.

Does anyone else feel that this is not a good idea? Seems like the consensus here is that it's at least acceptable if not desirable to have.

Apr 24 2022, 17:58 · Tokens
20after4 added a comment to T15048: Allow awarding Tokens to individual Comments.

I did a bit of digging through the source code and it looks like tokens are implemented in an incredibly generic way, such that it wouldn't be at all difficult to add tokens to comments. I think the hardest part will be integrating it with the UI.

Apr 24 2022, 17:55 · Tokens
20after4 added a comment to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation.
In T15090#2141, @avivey wrote:

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

Yes, probably. "Announcements"-style thing

Apr 24 2022, 17:51 · Phorge General/Unknown, Restricted Project
20after4 created T15095: Setup an announcements blog with Phame.
Apr 24 2022, 17:51 · Phorge Upstream

Apr 22 2022

Bezalel updated Bezalel.
Apr 22 2022, 12:50
jmeador added a comment to April 19, 2022.

@speck Would it be totally unreasonable to instead do:

Apr 22 2022, 03:06 · Governance

Apr 20 2022

Matthew added a comment to T15026: Create a migration guide to move from Phabricator to Phorge.

As of right now, we have made no changes to the database and other "internals" - our work has been focused on rebranding as "Phabricator" is a trademarked name. For this reason, a rough migration path would be to check out the master branch of rP, copy the config directory from Phabricator to Phorge, and then point Phorge to your Phabricator database. I have tested it myself locally and it appears to work, however; if you have any issues feel free to ask a question on Ponder here and we can get back to you!

Apr 20 2022, 13:47 · Phorge
dcog added a comment to April 19, 2022.

translations,The rebranding approach of changing the pht() keys will invalidate a lot of existing translations. Investigate if there are ways to avoid this.

Apr 20 2022, 13:47 · Governance
speck edited the content of April 19, 2022.
Apr 20 2022, 13:06 · Governance
Higgs added a comment to T15026: Create a migration guide to move from Phabricator to Phorge.

We are now at a decision point where we either install Phorge from Scratch or migrate Phabricator to Phorge.

Apr 20 2022, 09:57 · Phorge
javier closed Q11: upgrade phabricator to phorge as resolved.
Apr 20 2022, 08:26