Reproduce:
- Open a private browser window
- View https://phabricator.wikimedia.org/F31920110
Feel free to decline if it is intentional. The log said it may only be viewed by acl*security Project, and this is also what the header said.
Reproduce:
Feel free to decline if it is intentional. The log said it may only be viewed by acl*security Project, and this is also what the header said.
The file is "attached" to T249039, so Phabricator allows everyone who can view that task to also view this file.
It's a bit surprising to me that just mentioning the file's name "attaches" it, I would expect only embedding the file (i.e. syntax like {F.....}) to do that.
@Bugreporter: Thanks for reporting this! Confirming.
And I cannot edit/fix that file's visibility, though I am a member of #acl*security. Hence cannot check what was the very initial policy.
(Plus in theory adding subscribers won't help if those subscribers were not allowed to view the task.)
Note that *if* this file was uploaded by clicking "Upload File" in the *public* task then this is expected behavior and not a bug in Phabricator code.
I wonder if https://www.mediawiki.org/wiki/Phabricator/Help#Uploading_file_attachments needs more clarification, sigh...
Thanks for reporting. I've gone ahead and changed the two files from T249039 to protected pastes instead and deleted the original files, which seems to fix the problem. There isn't really an issue for this specific case since 1) these files were part of a public "pre-launch" review and 2) it's trivial for an attacker to clone any of our publicly-available repos and run security scanning tools against them.
Still - this is either a bug with Phab files that should be fixed OR we should inform everyone that they should instead use protected Phab pastes for any potentially-sensitive data.
It might not be a bad idea to add an additional warning to that section summarizing the third paragraph. Or perhaps highlighting key points within the third paragraph in bold.
I've added another warning to the mediawiki doc. Hope that works. I'm going to resolve this task for now. I think it's likely fine to make public, but I'd to check first with some other Security-Team folks.