Homec4science

Lock feed.public and feed.http-hooks config options

Authored by epriestley <git@epriestley.com> on Dec 29 2014, 17:04.

Description

Lock feed.public and feed.http-hooks config options

Summary:
Ref T6817. Ref T5726. These both bypass policy checks, and would allow an attacker who gains control of an administrative account to enable public feed, then view feed stories they could not normally see; or enable feed.http-hooks, then read the posted text.

In the longer term I'd like to remove feed.public completely (possibly providing API alternatives, if necessary).

Test Plan: Looked at options in web UI and saw them locked.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6817, T5726

Differential Revision: https://secure.phabricator.com/D11046

Details

Committed
epriestley <git@epriestley.com>Dec 29 2014, 17:04
Pushed
aubortJan 31 2017, 17:16
Parents
rPH102e431feb01: Migrate Maniphest task blockers to modern EdgeType classes
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH9dd0eca335d5: Lock feed.public and feed.http-hooks config options (authored by epriestley <git@epriestley.com>).Dec 29 2014, 17:04