@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Use %P for all sensitive command construction in Phabricator
Summary: Depends on D6366. Applies %P everywhere.
Test Plan: Ran various daemon commands via scripts, e.g. `bin/repository pull`, `bin/storage dump`.
Reviewers: btrahan, mbishopim3
Reviewed By: btrahan
CC: aran
Differential Revision: https://secure.phabricator.com/D6367
+18
-19
+16
-16
src/applications/repository/storage/PhabricatorRepository.php
+16
-16
src/applications/repository/storage/PhabricatorRepository.php
···
170
170
array_unshift(
171
171
$args,
172
172
csprintf(
173
-
'ssh -l %s -i %s',
174
-
$this->getSSHLogin(),
175
-
$this->getSSHKeyfile()));
173
+
'ssh -l %P -i %P',
174
+
new PhutilOpaqueEnvelope($this->getSSHLogin()),
175
+
new PhutilOpaqueEnvelope($this->getSSHKeyfile())));
176
176
break;
177
177
case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
178
178
$command = call_user_func_array(
179
179
'csprintf',
180
180
array_merge(
181
181
array(
182
-
"(ssh-add %s && HOME=%s git {$pattern})",
183
-
$this->getSSHKeyfile(),
182
+
"(ssh-add %P && HOME=%s git {$pattern})",
183
+
new PhutilOpaqueEnvelope($this->getSSHKeyfile()),
184
184
$empty,
185
185
),
186
186
$args));
···
192
192
array_unshift(
193
193
$args,
194
194
csprintf(
195
-
'ssh -l %s -i %s',
196
-
$this->getSSHLogin(),
197
-
$this->getSSHKeyfile()));
195
+
'ssh -l %P -i %P',
196
+
new PhutilOpaqueEnvelope($this->getSSHLogin()),
197
+
new PhutilOpaqueEnvelope($this->getSSHKeyfile())));
198
198
break;
199
199
default:
200
200
throw new Exception("Unrecognized version control system.");
···
207
207
"--non-interactive ".
208
208
"--no-auth-cache ".
209
209
"--trust-server-cert ".
210
-
"--username %s ".
211
-
"--password %s ".
210
+
"--username %P ".
211
+
"--password %P ".
212
212
$pattern;
213
213
array_unshift(
214
214
$args,
215
-
$this->getDetail('http-login'),
216
-
$this->getDetail('http-pass'));
215
+
new PhutilOpaqueEnvelope($this->getDetail('http-login')),
216
+
new PhutilOpaqueEnvelope($this->getDetail('http-pass')));
217
217
break;
218
218
default:
219
219
throw new Exception(
···
226
226
"svn ".
227
227
"--non-interactive ".
228
228
"--no-auth-cache ".
229
-
"--username %s ".
230
-
"--password %s ".
229
+
"--username %P ".
230
+
"--password %P ".
231
231
$pattern;
232
232
array_unshift(
233
233
$args,
234
-
$this->getDetail('http-login'),
235
-
$this->getDetail('http-pass'));
234
+
new PhutilOpaqueEnvelope($this->getDetail('http-login')),
235
+
new PhutilOpaqueEnvelope($this->getDetail('http-pass')));
236
236
break;
237
237
default:
238
238
throw new Exception(
+2
-3
src/infrastructure/storage/management/workflow/PhabricatorStorageManagementDumpWorkflow.php
+2
-3
src/infrastructure/storage/management/workflow/PhabricatorStorageManagementDumpWorkflow.php
···
33
33
34
34
$password = $api->getPassword();
35
35
if ($password) {
36
-
$password = $password->openEnvelope();
37
-
if (strlen($password)) {
38
-
$flag_password = csprintf('-p%s', $password);
36
+
if (strlen($password->openEnvelope())) {
37
+
$flag_password = csprintf('-p%P', $password);
39
38
}
40
39
}
41
40