2011-05-22 20:55:10 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copyright 2011 Facebook, Inc.
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
class PhabricatorFileDropUploadController extends PhabricatorFileController {
|
|
|
|
|
|
|
|
|
|
public function processRequest() {
|
|
|
|
|
$request = $this->getRequest();
|
2011-07-08 06:17:00 +02:00
|
|
|
$user = $request->getUser();
|
2011-05-22 20:55:10 +02:00
|
|
|
|
Prevent CSRF uploads via /file/dropupload/
Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.
In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.
Test Plan:
- Drop-uploaded files to Files, Maniphest, Phriction and Differential.
- Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form
submissions don't work.
Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758
2011-08-02 05:23:01 +02:00
|
|
|
// NOTE: Throws if valid CSRF token is not present in the request.
|
|
|
|
|
$request->validateCSRF();
|
|
|
|
|
|
2011-05-22 20:55:10 +02:00
|
|
|
$data = file_get_contents('php://input');
|
|
|
|
|
$name = $request->getStr('name');
|
|
|
|
|
|
|
|
|
|
$file = PhabricatorFile::newFromFileData(
|
|
|
|
|
$data,
|
|
|
|
|
array(
|
|
|
|
|
'name' => $request->getStr('name'),
|
2011-07-08 06:17:00 +02:00
|
|
|
'authorPHID' => $user->getPHID(),
|
2011-05-22 20:55:10 +02:00
|
|
|
));
|
|
|
|
|
|
Improve drag-and-drop uploader
Summary:
Make it discoverable, show uploading progress, show file thumbnails, allow you
to remove files, make it a generic form component.
Test Plan:
Uploaded ducks
Reviewed By: tomo
Reviewers: aran, tomo, jungejason, tuomaspelkonen
CC: anjali, aran, epriestley, tomo
Differential Revision: 334
2011-05-23 01:11:41 +02:00
|
|
|
$view = new AphrontAttachedFileView();
|
|
|
|
|
$view->setFile($file);
|
|
|
|
|
|
2011-05-22 20:55:10 +02:00
|
|
|
return id(new AphrontAjaxResponse())->setContent(
|
|
|
|
|
array(
|
2011-07-30 01:01:59 +02:00
|
|
|
'id' => $file->getID(),
|
2011-05-22 20:55:10 +02:00
|
|
|
'phid' => $file->getPHID(),
|
Improve drag-and-drop uploader
Summary:
Make it discoverable, show uploading progress, show file thumbnails, allow you
to remove files, make it a generic form component.
Test Plan:
Uploaded ducks
Reviewed By: tomo
Reviewers: aran, tomo, jungejason, tuomaspelkonen
CC: anjali, aran, epriestley, tomo
Differential Revision: 334
2011-05-23 01:11:41 +02:00
|
|
|
'html' => $view->render(),
|
2011-07-30 01:01:59 +02:00
|
|
|
'uri' => $file->getBestURI(),
|
2011-05-22 20:55:10 +02:00
|
|
|
));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
