revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-14 19:02:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/files/controller/PhabricatorFileDataController.php

81 lines
2.6 KiB
PHP
Raw Normal View History

Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-02 07:24:00 +02:00
<?php
Move ALL files to serve from the alternate file domain, not just files without "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 23:52:27 +01:00
final class PhabricatorFileDataController extends PhabricatorFileController {
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-02 07:24:00 +02:00
private $phid;
private $key;
public function willProcessRequest(array $data) {
$this->phid = $data['phid'];
$this->key = $data['key'];
}
public function shouldRequireLogin() {
return false;
}
public function processRequest() {
$request = $this->getRequest();
Move ALL files to serve from the alternate file domain, not just files without "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 23:52:27 +01:00
$alt = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
Redirect instead of 400 from file on wrong domain Summary: We recently opted for 'security.alternate-file-domain' and we have some hotlinks to the original domain. Test Plan: Enabled 'security.alternate-file-domain', observed redirect. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3380
2012-08-24 21:25:51 +02:00
$uri = new PhutilURI($alt);
$alt_domain = $uri->getDomain();
Move ALL files to serve from the alternate file domain, not just files without "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 23:52:27 +01:00
if ($alt_domain && ($alt_domain != $request->getHost())) {
Redirect instead of 400 from file on wrong domain Summary: We recently opted for 'security.alternate-file-domain' and we have some hotlinks to the original domain. Test Plan: Enabled 'security.alternate-file-domain', observed redirect. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3380
2012-08-24 21:25:51 +02:00
return id(new AphrontRedirectResponse())
->setURI($uri->setPath($request->getPath()));
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-02 07:24:00 +02:00
}
Make most file reads policy-aware Summary: Ref T603. Swaps out most `PhabricatorFile` loads for `PhabricatorFileQuery`. Test Plan: - Viewed Differential changesets. - Used `file.info`. - Used `file.download`. - Viewed a file. - Deleted a file. - Used `/Fnnnn` to access a file. - Uploaded an image, verified a thumbnail generated. - Created and edited a macro. - Added a meme. - Did old-school attach-a-file-to-a-task. - Viewed a paste. - Viewed a mock. - Embedded a mock. - Profiled a page. - Parsed a commit with image files linked to a revision with image files. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T603 Differential Revision: https://secure.phabricator.com/D7178
2013-09-30 18:38:13 +02:00
$file = id(new PhabricatorFileQuery())
->setViewer($request->getUser())
->withPHIDs(array($this->phid))
->executeOne();
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-02 07:24:00 +02:00
if (!$file) {
return new Aphront404Response();
}
if (!$file->validateSecretKey($this->key)) {
Send 403 for admin pages without being admin Summary: I've also moved the response generation for 404 from ##AphrontDefaultApplicationConfiguration## to ##buildResponseString()## Test Plan: Visit / Visit /mail/ Visit /x/ Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, vrana Differential Revision: https://secure.phabricator.com/D1406
2012-01-15 10:07:56 +01:00
return new Aphront403Response();
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-02 07:24:00 +02:00
}
$data = $file->loadFileData();
$response = new AphrontFileResponse();
$response->setContent($data);
$response->setCacheDurationInSeconds(60 * 60 * 24 * 30);
Fix two issues with audio macros Summary: Fixes T3887. Two issues: - Macros were generating entirely before the render cache, so audio macros worked fine in previews and the first time the cache was populated, but not afterward. - Instead, parse them before the cache but drop them in after the cache. Clean up all the file querying, too. This makes cached remarkup generate the correct audio beahviors. - Safari sends an HTTP request with a "Range" header, and expects a "206 Partial Content" response. If we don't give it one, it sometimes has trouble figuring out how long a piece of audio is (mostly for longer clips? Or mostly for MP3s?). I'm not exactly sure what triggers it. The net effect is that "loop" does not work when Safari gets confused. While looping a short "quack.wav" worked fine, longer MP3s didn't loop. - Supporting "Range" and "206 Partial Content", which is straightforward, fixes this problem. Test Plan: - Viewed a page with lots of different cached audio macros and lots of different uncached preview audio macros, they all rendered correctly and played audio. - Viewed a macro with a long MP3 audio loop in Safari. Verified it looped after it completed. Used Charles to check that the server received and responded to the "Range" header correctly. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T3887 Differential Revision: https://secure.phabricator.com/D7166
2013-09-29 00:32:48 +02:00
// NOTE: It's important to accept "Range" requests when playing audio.
// If we don't, Safari has difficulty figuring out how long sounds are
// and glitches when trying to loop them. In particular, Safari sends
// an initial request for bytes 0-1 of the audio file, and things go south
// if we can't respond with a 206 Partial Content.
$range = $request->getHTTPHeader('range');
if ($range) {
$matches = null;
if (preg_match('/^bytes=(\d+)-(\d+)$/', $range, $matches)) {
$response->setHTTPResponseCode(206);
$response->setRange((int)$matches[1], (int)$matches[2]);
}
}
Introduce lightbox view for images Summary: images attached to maniphest tasks and mentioned in remarkup anywhere now invoke a lightbox control that lets the user page through all the images. lightbox includes a download button, next / prev buttons, and if we're not at the tippy toppy of hte page an "X" or close button. we also respond to left, right, and esc for navigating. next time we should get non-images working in here...! Test Plan: played with maniphest - looks good made comments with images. looks good. made sure multiple image comments worked. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, chad Maniphest Tasks: T1896 Differential Revision: https://secure.phabricator.com/D3705
2012-10-23 04:06:56 +02:00
$is_viewable = $file->isViewableInBrowser();
$force_download = $request->getExists('download');
Move ALL files to serve from the alternate file domain, not just files without "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 23:52:27 +01:00
Introduce lightbox view for images Summary: images attached to maniphest tasks and mentioned in remarkup anywhere now invoke a lightbox control that lets the user page through all the images. lightbox includes a download button, next / prev buttons, and if we're not at the tippy toppy of hte page an "X" or close button. we also respond to left, right, and esc for navigating. next time we should get non-images working in here...! Test Plan: played with maniphest - looks good made comments with images. looks good. made sure multiple image comments worked. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, chad Maniphest Tasks: T1896 Differential Revision: https://secure.phabricator.com/D3705
2012-10-23 04:06:56 +02:00
if ($is_viewable && !$force_download) {
Move ALL files to serve from the alternate file domain, not just files without "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 23:52:27 +01:00
$response->setMimeType($file->getViewableMimeType());
} else {
if (!$request->isHTTPPost()) {
// NOTE: Require POST to download files. We'd rather go full-bore and
// do a real CSRF check, but can't currently authenticate users on the
// file domain. This should blunt any attacks based on iframes, script
// tags, applet tags, etc., at least. Send the user to the "info" page
// if they're using some other method.
return id(new AphrontRedirectResponse())
->setURI(PhabricatorEnv::getProductionURI($file->getBestURI()));
}
$response->setMimeType($file->getMimeType());
$response->setDownload($file->getName());
}
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-02 07:24:00 +02:00
return $response;
}
}
Copy permalink