Lock `phabricator.show-prototypes`
2c7be52fc23e
Actions

Authored by epriestley <git@epriestley.com> on Dec 15 2014, 20:00.

Description

Lock phabricator.show-prototypes

Summary:
Two goals:

If an attacker compromises an administrator account (without compromising the host itself), they can currently take advantage of vulnerabilities in prototype applications by enabling the applications, then exploiting the vulnerability. Locking this option requires CLI access to enable prototypes, so installs which do not have prototypes enabled have no exposure to security issues in prototype applications.
Making this very slightly harder to enable is probably a good thing, given the state of the world and support.

Test Plan: Verified that web UI shows the value is locked and instructs the user to update via the CLI.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Committed

epriestley <git@epriestley.com>

Dec 15 2014, 20:00

Pushed

aubort

Jan 31 2017, 17:16

Parents

Branches

Unknown

Tags

Unknown

epriestley <git@epriestley.com> committed rPH2c7be52fc23e: Lock `phabricator.show-prototypes` (authored by epriestley <git@epriestley.com>).Dec 15 2014, 20:00

				Path
	M			src/applications/config/option/PhabricatorCoreConfigOptions.php