From c72f3b4bf1352f44f4f35177317951d2f176899b Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Fri, 13 Sep 2013 11:48:43 -0700
Subject: [PATCH] Lock `uri.allowed-protocols` in Config

Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked.

Test Plan: Viewed value on web UI, verified it was locked.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6975
---
 .../config/option/PhabricatorSecurityConfigOptions.php         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/applications/config/option/PhabricatorSecurityConfigOptions.php b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
index a841611c16..f1623ef628 100644
--- a/src/applications/config/option/PhabricatorSecurityConfigOptions.php
+++ b/src/applications/config/option/PhabricatorSecurityConfigOptions.php
@@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
             "whitelist is primarily to prevent security issues like ".
             "javascript:// URIs."))
         ->addExample(
-          '{"http": true, "https": true"}', pht('Valid Setting')),
+          '{"http": true, "https": true"}', pht('Valid Setting'))
+        ->setLocked(true),
        $this->newOption(
          'celerity.resource-hash',
          'string',