Page MenuHomePhabricator

Phabricator XSS vulnerability
Closed, ResolvedPublic

Event Timeline

Danny_B created this task.Jul 2 2016, 1:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 2 2016, 1:26 PM
Danny_B triaged this task as High priority.Jul 2 2016, 1:27 PM
Danny_B added a project: Phabricator.
Luke081515 raised the priority of this task from High to Unbreak Now!.Jul 2 2016, 2:27 PM
Luke081515 added a project: Operations.

As I wrote there, the easiest solution is to apply the patch at

Paladox moved this task from To Triage to Herald rules on the Phabricator board.Jul 2 2016, 3:25 PM
greg moved this task from Herald rules to Ready to Go on the Phabricator board.Jul 2 2016, 6:27 PM
greg added a subscriber: greg.

Let's not use a "Security (high priority)" column in the workboard. That only makes it easier for outsides to know information we don't want them to know. We don't need a "high priority" column.

greg added a comment.Jul 2 2016, 6:30 PM

Timing is tough on this. This is public in upstream sadly but it's a long weekend in the US and @mmodell is out.

greg added a comment.Jul 2 2016, 6:34 PM

I emailed our team list about this to increase visibility.

I just cherry-picked the upstream patch. I'll deploy it now

Luke081515 assigned this task to mmodell.Jul 2 2016, 7:21 PM
mmodell closed this task as Resolved.Jul 2 2016, 7:23 PM

Fixed in wmf/stable and deployed to iridium.

greg added a comment.Jul 2 2016, 8:35 PM

Thanks for the holiday weekend response, Mukunda.

demon added a comment.Jul 2 2016, 10:45 PM

Upstream bug is already public and we're patched, can we open this up now?

@demon Feel free to do so including the merged task.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 3 2016, 4:16 PM
Bawolff changed Security from Software security bug to None.
Restricted Application added subscribers: TerraCodes, Malyacko. · View Herald TranscriptJul 3 2016, 4:16 PM
Bawolff added a subscriber: Bawolff.Jul 3 2016, 4:16 PM

Bug is now public.