recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Only require POST to fetch file data if the viewer is logged in

Summary:
Ref T11357. In D17611, I added `file.search`, which includes a `"dataURI"`. Partly, this is building toward resolving T8348.

However, in some cases you can't GET this URI because of a security measure:

- You have not configured `security.alternate-file-domain`.
- The file isn't web-viewable.
- (The request isn't an LFS request.)

The goal of this security mechanism is just to protect against session hijacking, so it's also safe to disable it if the viewer didn't present any credentials (since that means there's nothing to hijack). Add that exception, and reorganize the code a little bit.

Test Plan:
- From the browser (with a session), tried to GET a binary data file. Got redirected.
- Got a download with POST.
- From the CLI (without a session), tried to GET a binary data file. Go a download.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11357

Differential Revision: https://secure.phabricator.com/D17613

epriestley 2896da38 2369fa38

+16 -6
+16 -6
src/applications/files/controller/PhabricatorFileDataController.php
··· 84 84 if ($is_viewable && !$force_download) { 85 85 $response->setMimeType($file->getViewableMimeType()); 86 86 } else { 87 - if (!$request->isHTTPPost() && !$is_alternate_domain && !$is_lfs) { 88 - // NOTE: Require POST to download files from the primary domain. We'd 89 - // rather go full-bore and do a real CSRF check, but can't currently 90 - // authenticate users on the file domain. This should blunt any 91 - // attacks based on iframes, script tags, applet tags, etc., at least. 92 - // Send the user to the "info" page if they're using some other method. 87 + $is_public = !$viewer->isLoggedIn(); 88 + $is_post = $request->isHTTPPost(); 93 89 90 + // NOTE: Require POST to download files from the primary domain if the 91 + // request includes credentials. The "Download File" links we generate 92 + // in the web UI are forms which use POST to satisfy this requirement. 93 + 94 + // The intent is to make attacks based on tags like "<iframe />" and 95 + // "<script />" (which can issue GET requests, but can not easily issue 96 + // POST requests) more difficult to execute. 97 + 98 + // The best defense against these attacks is to use an alternate file 99 + // domain, which is why we strongly recommend doing so. 100 + 101 + $is_safe = ($is_alternate_domain || $is_lfs || $is_post || $is_public); 102 + if (!$is_safe) { 94 103 // This is marked as "external" because it is fully qualified. 95 104 return id(new AphrontRedirectResponse()) 96 105 ->setIsExternal(true) 97 106 ->setURI(PhabricatorEnv::getProductionURI($file->getBestURI())); 98 107 } 108 + 99 109 $response->setMimeType($file->getMimeType()); 100 110 $response->setDownload($file->getName()); 101 111 }