Change Details

Our local Phabricator install was recently impacted by the upstream [[ https://secure.phabricator.com/w/changelog/2022.21/ | 2022 Week 21 (Late May) ]] update, which mitigated a permission escalation issue with file references. The [[ https://secure.phabricator.com/T13683 | security guidance ]] task mentions some limitations in passing: > Some reasonable cases where Phabricator should be able to determine that an attachment is safe (e.g., using the "Upload File" dialog, and some unmodernized interfaces in various applicatinos) are not yet automatically identified as safe and must be manually attached. See [[ https://secure.phabricator.com/T13682 | T13682 ]] for some discussion of future work. It appears that some workflows do indeed work as they did before, i.e. they both upload the file and attach it to the parent object, granting implicit visibility of the file to anyone that can see the parent object. From experiments on our local install, I've assembled the following truth table: > | Where | Upload to files application and reference {Fxxxx} | "Upload File" in text box | Paste into text box | Drag & drop into text box > |-- |-- |-- |-- |-- > | Task description | Yes | No | Yes | Yes > | Task comment | Yes | No | Yes | Yes > | Revision summary from arc | Yes | N/A | N/A | N/A > | Revision test plan from arc | Yes | N/A | N/A | N/A > | Revision summary from web | Yes | No | Yes | Yes > | Revision test plan from web | Yes | No | Yes | Yes > | Revision comment | Yes | No | Yes | Yes > > NOTE: The `Upload to files application and reference {Fxxxx}` used the defaults at https://phabricator.internal.encircleapp.com/file/upload/ where `Visible To` was set to `All Users`. In particular, the `"Upload File" in text box` workflow seems to be glaringly broken. I have no idea if upstream plans to fix this as a charity or whether this'll have to be fixed through the community (and maybe contributed back upstream if epriestley accepts).

Our local Phabricator install was recently impacted by the upstream [[ https://secure.phabricator.com/w/changelog/2022.21/ | 2022 Week 21 (Late May) ]] update, which mitigated a permission escalation issue with file references. The [[ https://secure.phabricator.com/T13683 | security guidance ]] task mentions some limitations in passing: > Some reasonable cases where Phabricator should be able to determine that an attachment is safe (e.g., using the "Upload File" dialog, and some unmodernized interfaces in various applicatinos) are not yet automatically identified as safe and must be manually attached. See [[ https://secure.phabricator.com/T13682 | T13682 ]] for some discussion of future work. It appears that some workflows do indeed work as they did before, i.e. they both upload the file and attach it to the parent object, granting implicit visibility of the file to anyone that can see the parent object. From experiments on our local install, I've assembled the following truth table: > | Where | Upload to files application and reference {Fxxxx} | "Upload File" in text box | Paste into text box | Drag & drop into text box > |-- |-- |-- |-- |-- > | Task description | Yes | No | Yes | Yes > | Task comment | Yes | No | Yes | Yes > | Revision summary from arc | Yes | N/A | N/A | N/A > | Revision test plan from arc | Yes | N/A | N/A | N/A > | Revision summary from web | Yes | No | Yes | Yes > | Revision test plan from web | Yes | No | Yes | Yes > | Revision comment | Yes | No | Yes | Yes > > NOTE: The `Upload to files application and reference {Fxxxx}` used the defaults at https://phabricator.internal.encircleapp.com/file/upload/ where `Visible To` was set to `All Users`. In particular, the `"Upload File" in text box` workflow seems to be glaringly broken. I have no idea if upstream plans to fix this as a charity or whether this'll have to be fixed through the community (and maybe contributed back upstream if epriestley accepts). ----- Similar discussions downstream: * https://phabricator.wikimedia.org/T310833

Our local Phabricator install was recently impacted by the upstream [[ https://secure.phabricator.com/w/changelog/2022.21/ | 2022 Week 21 (Late May) ]] update, which mitigated a permission escalation issue with file references. The [[ https://secure.phabricator.com/T13683 | security guidance ]] task mentions some limitations in passing: > Some reasonable cases where Phabricator should be able to determine that an attachment is safe (e.g., using the "Upload File" dialog, and some unmodernized interfaces in various applicatinos) are not yet automatically identified as safe and must be manually attached. See [[ https://secure.phabricator.com/T13682 | T13682 ]] for some discussion of future work. It appears that some workflows do indeed work as they did before, i.e. they both upload the file and attach it to the parent object, granting implicit visibility of the file to anyone that can see the parent object. From experiments on our local install, I've assembled the following truth table: > | Where | Upload to files application and reference {Fxxxx} | "Upload File" in text box | Paste into text box | Drag & drop into text box > |-- |-- |-- |-- |-- > | Task description | Yes | No | Yes | Yes > | Task comment | Yes | No | Yes | Yes > | Revision summary from arc | Yes | N/A | N/A | N/A > | Revision test plan from arc | Yes | N/A | N/A | N/A > | Revision summary from web | Yes | No | Yes | Yes > | Revision test plan from web | Yes | No | Yes | Yes > | Revision comment | Yes | No | Yes | Yes > > NOTE: The `Upload to files application and reference {Fxxxx}` used the defaults at https://phabricator.internal.encircleapp.com/file/upload/ where `Visible To` was set to `All Users`. In particular, the `"Upload File" in text box` workflow seems to be glaringly broken. I have no idea if upstream plans to fix this as a charity or whether this'll have to be fixed through the community (and maybe contributed back upstream if epriestley accepts). ----- Similar discussions downstream: * https://phabricator.wikimedia.org/T310833