recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Improve consistency of file access policies, particularly for LFS

Summary:
Ref T7789. Currently, we use different viewers if you have `security.alternate-file-domain` configured vs if you do not.

This is largely residual from the days of one-time-tokens, and can cause messy configuration-dependent bugs like the one in T7789#172057.

Instead, always use the omnipotent viewer. Knowledge of the secret key alone is sufficient to access a file.

Test Plan:
- Disabled `security.alternate-file-domain`.
- Reproduced an issue similar to the one described on T7789.
- Applied change.
- Clean LFS interaction.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7789

Differential Revision: https://secure.phabricator.com/D15784

epriestley ab20f243 711f1366

+16 -6
+16 -6
src/applications/files/controller/PhabricatorFileDataController.php
··· 22 22 $req_domain = $request->getHost(); 23 23 $main_domain = id(new PhutilURI($base_uri))->getDomain(); 24 24 25 - 26 25 if (!strlen($alt) || $main_domain == $alt_domain) { 27 26 // No alternate domain. 28 27 $should_redirect = false; 29 - $use_viewer = $viewer; 30 28 $is_alternate_domain = false; 31 29 } else if ($req_domain != $alt_domain) { 32 30 // Alternate domain, but this request is on the main domain. 33 31 $should_redirect = true; 34 - $use_viewer = $viewer; 35 32 $is_alternate_domain = false; 36 33 } else { 37 34 // Alternate domain, and on the alternate domain. 38 35 $should_redirect = false; 39 - $use_viewer = PhabricatorUser::getOmnipotentUser(); 40 36 $is_alternate_domain = true; 41 37 } 42 38 43 - $response = $this->loadFile($use_viewer); 39 + $response = $this->loadFile(); 44 40 if ($response) { 45 41 return $response; 46 42 } ··· 112 108 return $response; 113 109 } 114 110 115 - private function loadFile(PhabricatorUser $viewer) { 111 + private function loadFile() { 112 + // Access to files is provided by knowledge of a per-file secret key in 113 + // the URI. Knowledge of this secret is sufficient to retrieve the file. 114 + 115 + // For some requests, we also have a valid viewer. However, for many 116 + // requests (like alternate domain requests or Git LFS requests) we will 117 + // not. Even if we do have a valid viewer, use the omnipotent viewer to 118 + // make this logic simpler and more consistent. 119 + 120 + // Beyond making the policy check itself more consistent, this also makes 121 + // sure we're consitent about returning HTTP 404 on bad requests instead 122 + // of serving HTTP 200 with a login page, which can mislead some clients. 123 + 124 + $viewer = PhabricatorUser::getOmnipotentUser(); 125 + 116 126 $file = id(new PhabricatorFileQuery()) 117 127 ->setViewer($viewer) 118 128 ->withPHIDs(array($this->phid))