Lock `phabricator.show-prototypes` · recaptime.dev/phorge@2c7be52

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Lock `phabricator.show-prototypes`

Summary:
Two goals:

- If an attacker compromises an administrator account (without compromising the host itself), they can currently take advantage of vulnerabilities in prototype applications by enabling the applications, then exploiting the vulnerability. Locking this option requires CLI access to enable prototypes, so installs which do not have prototypes enabled have no exposure to security issues in prototype applications.
- Making this very slightly harder to enable is probably a good thing, given the state of the world and support.

Test Plan: Verified that web UI shows the value is locked and instructs the user to update via the CLI.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10993

epriestley 11 years ago 2c7be52f 20379791

1 changed file

expand all

src

applications

config

option

PhabricatorCoreConfigOptions.php

src/applications/config/option/PhabricatorCoreConfigOptions.php

··· 92 92 'create a collision preventing you from logging in.')) 93 93 ->addExample('dev', pht('Prefix cookie with "dev"')), 94 94 $this->newOption('phabricator.show-prototypes', 'bool', false) 95 + ->setLocked(true) 95 96 ->setBoolOptions( 96 97 array( 97 98 pht('Enable Prototypes'),

Configure Feed

Configure Feed