No OneTemporary
Actions

Size

15 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/config/check/PhabricatorPHPConfigSetupCheck.php b/src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
	index 6a08ec68ae..b3fd03fd19 100644
	--- a/src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
	+++ b/src/applications/config/check/PhabricatorPHPConfigSetupCheck.php
	@@ -1,201 +1,228 @@
	<?php

	final class PhabricatorPHPConfigSetupCheck extends PhabricatorSetupCheck {

	public function getDefaultGroup() {
	return self::GROUP_PHP;
	}

	public function getExecutionOrder() {
	return 0;
	}

	protected function executeChecks() {
	if (version_compare(phpversion(), 7, '>=')) {
	$message = pht(
	'This version of Phabricator does not support PHP 7. You '.
	'are running PHP %s.',
	phpversion());

	$this->newIssue('php.version7')
	->setIsFatal(true)
	->setName(pht('PHP 7 Not Supported'))
	->setMessage($message)
	->addLink(
	'https://phurl.io/u/php7',
	pht('Phabricator PHP 7 Compatibility Information'));

	return;
	}

	$safe_mode = ini_get('safe_mode');
	if ($safe_mode) {
	$message = pht(
	"You have '%s' enabled in your PHP configuration, but Phabricator ".
	"will not run in safe mode. Safe mode has been deprecated in PHP 5.3 ".
	"and removed in PHP 5.4.\n\nDisable safe mode to continue.",
	'safe_mode');

	$this->newIssue('php.safe_mode')
	->setIsFatal(true)
	->setName(pht('Disable PHP %s', 'safe_mode'))
	->setMessage($message)
	->addPHPConfig('safe_mode');
	return;
	}

	// Check for `disable_functions` or `disable_classes`. Although it's
	// possible to disable a bunch of functions (say, `array_change_key_case()`)
	// and classes and still have Phabricator work fine, it's unreasonably
	// difficult for us to be sure we'll even survive setup if these options
	// are enabled. Phabricator needs access to the most dangerous functions,
	// so there is no reasonable configuration value here which actually
	// provides a benefit while guaranteeing Phabricator will run properly.

	$disable_options = array('disable_functions', 'disable_classes');
	foreach ($disable_options as $disable_option) {
	$disable_value = ini_get($disable_option);
	if ($disable_value) {

	// By default Debian installs the pcntl extension but disables all of
	// its functions using configuration. Whitelist disabling these
	// functions so that Debian PHP works out of the box (we do not need to
	// call these functions from the web UI). This is pretty ridiculous but
	// it's not the users' fault and they haven't done anything crazy to
	// get here, so don't make them pay for Debian's unusual choices.
	// See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605571
	$fatal = true;
	if ($disable_option == 'disable_functions') {
	$functions = preg_split('/[, ]+/', $disable_value);
	$functions = array_filter($functions);
	foreach ($functions as $k => $function) {
	if (preg_match('/^pcntl_/', $function)) {
	unset($functions[$k]);
	}
	}
	if (!$functions) {
	$fatal = false;
	}
	}

	if ($fatal) {
	$message = pht(
	"You have '%s' enabled in your PHP configuration.\n\n".
	"This option is not compatible with Phabricator. Remove ".
	"'%s' from your configuration to continue.",
	$disable_option,
	$disable_option);

	$this->newIssue('php.'.$disable_option)
	->setIsFatal(true)
	->setName(pht('Remove PHP %s', $disable_option))
	->setMessage($message)
	->addPHPConfig($disable_option);
	}
	}
	}

	$overload_option = 'mbstring.func_overload';
	$func_overload = ini_get($overload_option);
	if ($func_overload) {
	$message = pht(
	"You have '%s' enabled in your PHP configuration.\n\n".
	"This option is not compatible with Phabricator. Disable ".
	"'%s' in your PHP configuration to continue.",
	$overload_option,
	$overload_option);

	$this->newIssue('php'.$overload_option)
	->setIsFatal(true)
	->setName(pht('Disable PHP %s', $overload_option))
	->setMessage($message)
	->addPHPConfig($overload_option);
	}

	$open_basedir = ini_get('open_basedir');
	if ($open_basedir) {

	// 'open_basedir' restricts which files we're allowed to access with
	// file operations. This might be okay -- we don't need to write to
	// arbitrary places in the filesystem -- but we need to access certain
	// resources. This setting is unlikely to be providing any real measure
	// of security so warn even if things look OK.

	$failures = array();

	try {
	$open_libphutil = class_exists('Future');
	} catch (Exception $ex) {
	$failures[] = $ex->getMessage();
	}

	try {
	$open_arcanist = class_exists('ArcanistDiffParser');
	} catch (Exception $ex) {
	$failures[] = $ex->getMessage();
	}

	$open_urandom = false;
	try {
	Filesystem::readRandomBytes(1);
	$open_urandom = true;
	} catch (FilesystemException $ex) {
	$failures[] = $ex->getMessage();
	}

	try {
	$tmp = new TempFile();
	file_put_contents($tmp, '.');
	$open_tmp = @fopen((string)$tmp, 'r');
	if (!$open_tmp) {
	$failures[] = pht(
	"Unable to read temporary file '%s'.",
	(string)$tmp);
	}
	} catch (Exception $ex) {
	$message = $ex->getMessage();
	$dir = sys_get_temp_dir();
	$failures[] = pht(
	"Unable to open temp files from '%s': %s",
	$dir,
	$message);
	}

	$issue = $this->newIssue('php.open_basedir')
	->setName(pht('Disable PHP %s', 'open_basedir'))
	->addPHPConfig('open_basedir');

	if ($failures) {
	$message = pht(
	"Your server is configured with '%s', which prevents Phabricator ".
	"from opening files it requires access to.\n\n".
	"Disable this setting to continue.\n\nFailures:\n\n%s",
	'open_basedir',
	implode("\n\n", $failures));

	$issue
	->setIsFatal(true)
	->setMessage($message);

	return;
	} else {
	$summary = pht(
	"You have '%s' configured in your PHP settings, which ".
	"may cause some features to fail.",
	'open_basedir');

	$message = pht(
	"You have '%s' configured in your PHP settings. Although this ".
	"setting appears permissive enough that Phabricator will work ".
	"properly, you may still run into problems because of it.\n\n".
	"Consider disabling '%s'.",
	'open_basedir',
	'open_basedir');

	$issue
	->setSummary($summary)
	->setMessage($message);
	}
	}
	+
	+ if (empty($_SERVER['REMOTE_ADDR'])) {
	+ $doc_href = PhabricatorEnv::getDocLink('Configuring a Preamble Script');
	+
	+ $summary = pht(
	+ 'You likely need to fix your preamble script so '.
	+ 'REMOTE_ADDR is no longer empty.');
	+
	+ $message = pht(
	+ 'No REMOTE_ADDR is available, so Phabricator cannot determine the '.
	+ 'origin address for requests. This will prevent Phabricator from '.
	+ 'performing important security checks. This most often means you '.
	+ 'have a mistake in your preamble script. Consult the documentation '.
	+ '(%s) and double-check that the script is written correctly.',
	+ phutil_tag(
	+ 'a',
	+ array(
	+ 'href' => $doc_href,
	+ 'target' => '_blank',
	+ ),
	+ pht('Configuring a Preamble Script')));
	+
	+ $this->newIssue('php.remote_addr')
	+ ->setName(pht('No REMOTE_ADDR available'))
	+ ->setSummary($summary)
	+ ->setMessage($message);
	+ }
	}
	}
	diff --git a/src/applications/people/storage/PhabricatorUserLog.php b/src/applications/people/storage/PhabricatorUserLog.php
	index 5939778f25..9727c81c63 100644
	--- a/src/applications/people/storage/PhabricatorUserLog.php
	+++ b/src/applications/people/storage/PhabricatorUserLog.php
	@@ -1,213 +1,213 @@
	<?php

	final class PhabricatorUserLog extends PhabricatorUserDAO
	implements PhabricatorPolicyInterface {

	const ACTION_LOGIN = 'login';
	const ACTION_LOGIN_PARTIAL = 'login-partial';
	const ACTION_LOGIN_FULL = 'login-full';
	const ACTION_LOGOUT = 'logout';
	const ACTION_LOGIN_FAILURE = 'login-fail';
	const ACTION_LOGIN_LEGALPAD = 'login-legalpad';
	const ACTION_RESET_PASSWORD = 'reset-pass';

	const ACTION_CREATE = 'create';
	const ACTION_EDIT = 'edit';

	const ACTION_ADMIN = 'admin';
	const ACTION_SYSTEM_AGENT = 'system-agent';
	const ACTION_MAILING_LIST = 'mailing-list';
	const ACTION_DISABLE = 'disable';
	const ACTION_APPROVE = 'approve';
	const ACTION_DELETE = 'delete';

	const ACTION_CONDUIT_CERTIFICATE = 'conduit-cert';
	const ACTION_CONDUIT_CERTIFICATE_FAILURE = 'conduit-cert-fail';

	const ACTION_EMAIL_PRIMARY = 'email-primary';
	const ACTION_EMAIL_REMOVE = 'email-remove';
	const ACTION_EMAIL_ADD = 'email-add';
	const ACTION_EMAIL_VERIFY = 'email-verify';
	const ACTION_EMAIL_REASSIGN = 'email-reassign';

	const ACTION_CHANGE_PASSWORD = 'change-password';
	const ACTION_CHANGE_USERNAME = 'change-username';

	const ACTION_ENTER_HISEC = 'hisec-enter';
	const ACTION_EXIT_HISEC = 'hisec-exit';
	const ACTION_FAIL_HISEC = 'hisec-fail';

	const ACTION_MULTI_ADD = 'multi-add';
	const ACTION_MULTI_REMOVE = 'multi-remove';

	protected $actorPHID;
	protected $userPHID;
	protected $action;
	protected $oldValue;
	protected $newValue;
	protected $details = array();
	protected $remoteAddr;
	protected $session;

	public static function getActionTypeMap() {
	return array(
	self::ACTION_LOGIN => pht('Login'),
	self::ACTION_LOGIN_PARTIAL => pht('Login: Partial Login'),
	self::ACTION_LOGIN_FULL => pht('Login: Upgrade to Full'),
	self::ACTION_LOGIN_FAILURE => pht('Login: Failure'),
	self::ACTION_LOGIN_LEGALPAD =>
	pht('Login: Signed Required Legalpad Documents'),
	self::ACTION_LOGOUT => pht('Logout'),
	self::ACTION_RESET_PASSWORD => pht('Reset Password'),
	self::ACTION_CREATE => pht('Create Account'),
	self::ACTION_EDIT => pht('Edit Account'),
	self::ACTION_ADMIN => pht('Add/Remove Administrator'),
	self::ACTION_SYSTEM_AGENT => pht('Add/Remove System Agent'),
	self::ACTION_MAILING_LIST => pht('Add/Remove Mailing List'),
	self::ACTION_DISABLE => pht('Enable/Disable'),
	self::ACTION_APPROVE => pht('Approve Registration'),
	self::ACTION_DELETE => pht('Delete User'),
	self::ACTION_CONDUIT_CERTIFICATE
	=> pht('Conduit: Read Certificate'),
	self::ACTION_CONDUIT_CERTIFICATE_FAILURE
	=> pht('Conduit: Read Certificate Failure'),
	self::ACTION_EMAIL_PRIMARY => pht('Email: Change Primary'),
	self::ACTION_EMAIL_ADD => pht('Email: Add Address'),
	self::ACTION_EMAIL_REMOVE => pht('Email: Remove Address'),
	self::ACTION_EMAIL_VERIFY => pht('Email: Verify'),
	self::ACTION_EMAIL_REASSIGN => pht('Email: Reassign'),
	self::ACTION_CHANGE_PASSWORD => pht('Change Password'),
	self::ACTION_CHANGE_USERNAME => pht('Change Username'),
	self::ACTION_ENTER_HISEC => pht('Hisec: Enter'),
	self::ACTION_EXIT_HISEC => pht('Hisec: Exit'),
	self::ACTION_FAIL_HISEC => pht('Hisec: Failed Attempt'),
	self::ACTION_MULTI_ADD => pht('Multi-Factor: Add Factor'),
	self::ACTION_MULTI_REMOVE => pht('Multi-Factor: Remove Factor'),
	);
	}


	public static function initializeNewLog(
	PhabricatorUser $actor = null,
	$object_phid = null,
	$action = null) {

	$log = new PhabricatorUserLog();

	if ($actor) {
	$log->setActorPHID($actor->getPHID());
	if ($actor->hasSession()) {
	$session = $actor->getSession();

	// NOTE: This is a hash of the real session value, so it's safe to
	// store it directly in the logs.
	$log->setSession($session->getSessionKey());
	}
	}

	$log->setUserPHID((string)$object_phid);
	$log->setAction($action);

	- $log->remoteAddr = idx($_SERVER, 'REMOTE_ADDR', '');
	+ $log->remoteAddr = (string)idx($_SERVER, 'REMOTE_ADDR', '');

	return $log;
	}

	public static function loadRecentEventsFromThisIP($action, $timespan) {
	return id(new PhabricatorUserLog())->loadAllWhere(
	'action = %s AND remoteAddr = %s AND dateCreated > %d
	ORDER BY dateCreated DESC',
	$action,
	idx($_SERVER, 'REMOTE_ADDR'),
	time() - $timespan);
	}

	public function save() {
	$this->details['host'] = php_uname('n');
	$this->details['user_agent'] = AphrontRequest::getHTTPHeader('User-Agent');

	return parent::save();
	}

	protected function getConfiguration() {
	return array(
	self::CONFIG_SERIALIZATION => array(
	'oldValue' => self::SERIALIZATION_JSON,
	'newValue' => self::SERIALIZATION_JSON,
	'details' => self::SERIALIZATION_JSON,
	),
	self::CONFIG_COLUMN_SCHEMA => array(
	'actorPHID' => 'phid?',
	'action' => 'text64',
	'remoteAddr' => 'text64',
	'session' => 'bytes40?',
	),
	self::CONFIG_KEY_SCHEMA => array(
	'actorPHID' => array(
	'columns' => array('actorPHID', 'dateCreated'),
	),
	'userPHID' => array(
	'columns' => array('userPHID', 'dateCreated'),
	),
	'action' => array(
	'columns' => array('action', 'dateCreated'),
	),
	'dateCreated' => array(
	'columns' => array('dateCreated'),
	),
	'remoteAddr' => array(
	'columns' => array('remoteAddr', 'dateCreated'),
	),
	'session' => array(
	'columns' => array('session', 'dateCreated'),
	),
	),
	) + parent::getConfiguration();
	}


	/* -( PhabricatorPolicyInterface )----------------------------------------- */


	public function getCapabilities() {
	return array(
	PhabricatorPolicyCapability::CAN_VIEW,
	);
	}

	public function getPolicy($capability) {
	switch ($capability) {
	case PhabricatorPolicyCapability::CAN_VIEW:
	return PhabricatorPolicies::POLICY_NOONE;
	}
	}

	public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
	if ($viewer->getIsAdmin()) {
	return true;
	}

	$viewer_phid = $viewer->getPHID();
	if ($viewer_phid) {
	$user_phid = $this->getUserPHID();
	if ($viewer_phid == $user_phid) {
	return true;
	}

	$actor_phid = $this->getActorPHID();
	if ($viewer_phid == $actor_phid) {
	return true;
	}
	}

	return false;
	}

	public function describeAutomaticCapability($capability) {
	return array(
	pht('Users can view their activity and activity that affects them.'),
	pht('Administrators can always view all activity.'),
	);
	}

	}

File Metadata

Mime Type: text/x-diff
Expires: Tue, Jul 1, 7:08 PM (22 h, 38 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 164531
Default Alt Text: (15 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions