Don't require POST to download LFS files from main domain

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Summary:
Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET.

This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan:
Fetched files over GET with and without the LFS header.

```
$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
```

```
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...
```

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7789

Differential Revision: https://secure.phabricator.com/D15654

epriestley 10 years ago 37b93f42 27104b57

+5 -1

2 changed files

expand all

src

applications

diffusion

controller

DiffusionServeController.php

files

controller

PhabricatorFileDataController.php

src/applications/diffusion/controller/DiffusionServeController.php

··· 996 996 'href' => $get_uri, 997 997 'header' => array( 998 998 'Authorization' => $no_authorization, 999 + 'X-Phabricator-Request-Type' => 'git-lfs', 999 1000 ), 1000 1001 ); 1001 1002 } else {

+4 -1

src/applications/files/controller/PhabricatorFileDataController.php

··· 82 82 $is_viewable = $file->isViewableInBrowser(); 83 83 $force_download = $request->getExists('download'); 84 84 85 + $request_type = $request->getHTTPHeader('X-Phabricator-Request-Type'); 86 + $is_lfs = ($request_type == 'git-lfs'); 87 + 85 88 if ($is_viewable && !$force_download) { 86 89 $response->setMimeType($file->getViewableMimeType()); 87 90 } else { 88 - if (!$request->isHTTPPost() && !$is_alternate_domain) { 91 + if (!$request->isHTTPPost() && !$is_alternate_domain && !$is_lfs) { 89 92 // NOTE: Require POST to download files from the primary domain. We'd 90 93 // rather go full-bore and do a real CSRF check, but can't currently 91 94 // authenticate users on the file domain. This should blunt any

Configure Feed

Configure Feed