Change Details

Mozilla's Phabricator fork addressed three vulnerabilities recently. We may want to merge some of their changes: https://github.com/mozilla-conduit/phabricator/commits/master/ 1. D25464 Stored XSS via PDF files. https://github.com/mozilla-conduit/phabricator/commit/5ec132bf9ebfb90558f1b7f646772176629f86d0 Further reading about this kind of vulnerability: https://github.com/jonaslejon/malicious-pdf 2. "Possible XSS when downloading raw diffs from a revision" https://github.com/mozilla-conduit/phabricator/commit/d8bb7d91b7d219902afed1ae7a8ae5e33862a842 I haven't figured out how it works yet. We have explicitly set MIME type to text/plain and special characters in filename are escaped or replaced with `_` in generated URLs. Will investigate further if they make their bug report open to public. https://bugzilla.mozilla.org/show_bug.cgi?id=1849193 3. T15663 Profile transformation on private files makes it publicly accessible

Mozilla's Phabricator fork addressed three vulnerabilities recently. We may want to merge some of their changes: https://github.com/mozilla-conduit/phabricator/commits/master/ 1. D25464 Stored XSS via PDF files. https://github.com/mozilla-conduit/phabricator/commit/5ec132bf9ebfb90558f1b7f646772176629f86d0 Further reading about this kind of vulnerability: https://github.com/jonaslejon/malicious-pdf 2. T15665 "Possible XSS when downloading raw diffs from a revision" https://github.com/mozilla-conduit/phabricator/commit/d8bb7d91b7d219902afed1ae7a8ae5e33862a842 I haven't figured out how it works yet. We have explicitly set MIME type to text/plain and special characters in filename are escaped or replaced with `_` in generated URLs. Will investigate further if they make their bug report open to public. https://bugzilla.mozilla.org/show_bug.cgi?id=1849193 3. T15663 Profile transformation on private files makes it publicly accessible

Mozilla's Phabricator fork addressed three vulnerabilities recently. We may want to merge some of their changes: https://github.com/mozilla-conduit/phabricator/commits/master/ 1. D25464 Stored XSS via PDF files. https://github.com/mozilla-conduit/phabricator/commit/5ec132bf9ebfb90558f1b7f646772176629f86d0 Further reading about this kind of vulnerability: https://github.com/jonaslejon/malicious-pdf 2. T15665 "Possible XSS when downloading raw diffs from a revision" https://github.com/mozilla-conduit/phabricator/commit/d8bb7d91b7d219902afed1ae7a8ae5e33862a842 I haven't figured out how it works yet. We have explicitly set MIME type to text/plain and special characters in filename are escaped or replaced with `_` in generated URLs. Will investigate further if they make their bug report open to public. https://bugzilla.mozilla.org/show_bug.cgi?id=1849193 3. T15663 Profile transformation on private files makes it publicly accessible