recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Restore support for using "arc download" to fetch files with no "security.alternate-file-domain"

Summary:
Fixes T13132. I removed this branch in D19156 when tightening the logic for the new CSP header, but there's a legitimate need for it: downloading files via `arc download`, or more generally being an API consumer of files.

This is not completely safe, but attacks I'm aware of (particularly, cookie fixation, where an attacker could potentially force a victim to become logged in to an account they control) are difficult and not very powerful. We already issue clear setup advice about the importance of configuring this option ("Phabricator is currently configured to serve user uploads directly from the same domain as other content. This is a security risk.") and I think there's significant value in letting API clients just GET file data without having to jump through a lot of weird hoops.

Test Plan:
- With `security.alternate-file-domain` off, tried to `arc download` a file.
- Before: downloaded an HTML dialog page.
- After: downloaded the file.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13132

Differential Revision: https://secure.phabricator.com/D19421

epriestley 332f4ab6 fb4b9bc2

+18 -1
+18 -1
src/applications/files/controller/PhabricatorFileDataController.php
··· 84 84 $response->setMimeType($file->getViewableMimeType()); 85 85 } else { 86 86 $is_post = $request->isHTTPPost(); 87 + $is_public = !$viewer->isLoggedIn(); 87 88 88 89 // NOTE: Require POST to download files from the primary domain. If the 89 90 // request is not a POST request but arrives on the primary domain, we 90 91 // render a confirmation dialog. For discussion, see T13094. 91 92 92 - $is_safe = ($is_alternate_domain || $is_lfs || $is_post); 93 + // There are two exceptions to this rule: 94 + 95 + // Git LFS requests can download with GET. This is safe (Git LFS won't 96 + // execute files it downloads) and necessary to support Git LFS. 97 + 98 + // Requests with no credentials may also download with GET. This 99 + // primarily supports downloading files with `arc download` or other 100 + // API clients. This is only "mostly" safe: if you aren't logged in, you 101 + // are likely immune to XSS and CSRF. However, an attacker may still be 102 + // able to set cookies on this domain (for example, to fixate your 103 + // session). For now, we accept these risks because users running 104 + // Phabricator in this mode are knowingly accepting a security risk 105 + // against setup advice, and there's significant value in having 106 + // API development against test and production installs work the same 107 + // way. 108 + 109 + $is_safe = ($is_alternate_domain || $is_post || $is_lfs || $is_public); 93 110 if (!$is_safe) { 94 111 return $this->newDialog() 95 112 ->setSubmitURI($file->getDownloadURI())