1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 12:30:56 +01:00
phorge-phorge/src/applications/files/controller/PhabricatorFileDataController.php

209 lines
6.7 KiB
PHP
Raw Normal View History

<?php
final class PhabricatorFileDataController extends PhabricatorFileController {
private $phid;
private $key;
private $token;
public function willProcessRequest(array $data) {
$this->phid = $data['phid'];
$this->key = $data['key'];
$this->token = idx($data, 'token');
}
public function shouldRequireLogin() {
return false;
}
protected function checkFileAndToken($file) {
if (!$file) {
return new Aphront404Response();
}
if (!$file->validateSecretKey($this->key)) {
return new Aphront403Response();
}
return null;
}
public function processRequest() {
$request = $this->getRequest();
$alt = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
$alt_uri = new PhutilURI($alt);
$alt_domain = $alt_uri->getDomain();
$req_domain = $request->getHost();
$main_domain = id(new PhutilURI($base_uri))->getDomain();
$cache_response = true;
if (empty($alt) || $main_domain == $alt_domain) {
// Alternate files domain isn't configured or it's set
// to the same as the default domain
// load the file with permissions checks;
$file = id(new PhabricatorFileQuery())
->setViewer($request->getUser())
->withPHIDs(array($this->phid))
->executeOne();
$error_response = $this->checkFileAndToken($file);
if ($error_response) {
return $error_response;
}
// when the file is not CDNable, don't allow cache
$cache_response = $file->getCanCDN();
} else if ($req_domain != $alt_domain) {
// Alternate domain is configured but this request isn't using it
// load the file with permissions checks;
$file = id(new PhabricatorFileQuery())
->setViewer($request->getUser())
->withPHIDs(array($this->phid))
->executeOne();
$error_response = $this->checkFileAndToken($file);
if ($error_response) {
return $error_response;
}
// if the user can see the file, generate a token;
// redirect to the alt domain with the token;
$token_uri = $file->getCDNURIWithToken();
$token_uri = new PhutilURI($token_uri);
$token_uri = $this->addURIParameters($token_uri);
return id(new AphrontRedirectResponse())
->setIsExternal(true)
->setURI($token_uri);
} else {
// We are using the alternate domain
// load the file, bypassing permission checks;
$file = id(new PhabricatorFileQuery())
->setViewer(PhabricatorUser::getOmnipotentUser())
->withPHIDs(array($this->phid))
->executeOne();
$error_response = $this->checkFileAndToken($file);
if ($error_response) {
return $error_response;
}
Generate a 403 page with a nice dialog when a file token is invalid Summary: Ref T5685. Currently we just 403 on an invalid token, but we can be a little more helpful. The issues here are: - If we **do** redirect you on this page and something goes wrong, you might get stuck in a redirect loop. - If we **don't** redirect you, copy/pasting the link to someone (or reloading the page) gives them a pretty confusing result, since the link doesn't work any more. Prior to this diff, they get a 403. To mitigate this, do a little better than a bare 403: give them a link to auth and generate a new URI for the file. If this is still confusing, the next best thing I can come up with is something like this: - Put some modulous of the timestamp in the URI. - If the current time is within 2 seconds of the generation time, show this dialog. - Otherwise, redirect. That seems like it would be okay, but I worry that "2" has to be small (so links you copy/paste -> chat -> click still work) and a small value means that a small amount of clock skew breaks things. We could use the database clock, but ehhh. Other ideas: - Put a hash of the remote IP in the URI, redirect if it doesn't match. Fails for companies behind a NAT gateway but should work in a lot of other cases. - Just redirect always, there's no reason it should ever loop and browsers don't really do anything bad when there's a loop (they'll show an error after too many redirects). I'm leaning toward letting this stabilize in the wild for a bit, then trying "always redirect". Test Plan: {F188914} Reviewers: btrahan, 20after4 Reviewed By: 20after4 Subscribers: epriestley Maniphest Tasks: T5685 Differential Revision: https://secure.phabricator.com/D10215
2014-08-11 18:39:25 +02:00
$acquire_token_uri = id(new PhutilURI($file->getViewURI()))
->setDomain($main_domain);
$acquire_token_uri = $this->addURIParameters($acquire_token_uri);
Generate a 403 page with a nice dialog when a file token is invalid Summary: Ref T5685. Currently we just 403 on an invalid token, but we can be a little more helpful. The issues here are: - If we **do** redirect you on this page and something goes wrong, you might get stuck in a redirect loop. - If we **don't** redirect you, copy/pasting the link to someone (or reloading the page) gives them a pretty confusing result, since the link doesn't work any more. Prior to this diff, they get a 403. To mitigate this, do a little better than a bare 403: give them a link to auth and generate a new URI for the file. If this is still confusing, the next best thing I can come up with is something like this: - Put some modulous of the timestamp in the URI. - If the current time is within 2 seconds of the generation time, show this dialog. - Otherwise, redirect. That seems like it would be okay, but I worry that "2" has to be small (so links you copy/paste -> chat -> click still work) and a small value means that a small amount of clock skew breaks things. We could use the database clock, but ehhh. Other ideas: - Put a hash of the remote IP in the URI, redirect if it doesn't match. Fails for companies behind a NAT gateway but should work in a lot of other cases. - Just redirect always, there's no reason it should ever loop and browsers don't really do anything bad when there's a loop (they'll show an error after too many redirects). I'm leaning toward letting this stabilize in the wild for a bit, then trying "always redirect". Test Plan: {F188914} Reviewers: btrahan, 20after4 Reviewed By: 20after4 Subscribers: epriestley Maniphest Tasks: T5685 Differential Revision: https://secure.phabricator.com/D10215
2014-08-11 18:39:25 +02:00
if ($this->token) {
// validate the token, if it is valid, continue
$validated_token = $file->validateOneTimeToken($this->token);
if (!$validated_token) {
Generate a 403 page with a nice dialog when a file token is invalid Summary: Ref T5685. Currently we just 403 on an invalid token, but we can be a little more helpful. The issues here are: - If we **do** redirect you on this page and something goes wrong, you might get stuck in a redirect loop. - If we **don't** redirect you, copy/pasting the link to someone (or reloading the page) gives them a pretty confusing result, since the link doesn't work any more. Prior to this diff, they get a 403. To mitigate this, do a little better than a bare 403: give them a link to auth and generate a new URI for the file. If this is still confusing, the next best thing I can come up with is something like this: - Put some modulous of the timestamp in the URI. - If the current time is within 2 seconds of the generation time, show this dialog. - Otherwise, redirect. That seems like it would be okay, but I worry that "2" has to be small (so links you copy/paste -> chat -> click still work) and a small value means that a small amount of clock skew breaks things. We could use the database clock, but ehhh. Other ideas: - Put a hash of the remote IP in the URI, redirect if it doesn't match. Fails for companies behind a NAT gateway but should work in a lot of other cases. - Just redirect always, there's no reason it should ever loop and browsers don't really do anything bad when there's a loop (they'll show an error after too many redirects). I'm leaning toward letting this stabilize in the wild for a bit, then trying "always redirect". Test Plan: {F188914} Reviewers: btrahan, 20after4 Reviewed By: 20after4 Subscribers: epriestley Maniphest Tasks: T5685 Differential Revision: https://secure.phabricator.com/D10215
2014-08-11 18:39:25 +02:00
$dialog = $this->newDialog()
->setShortTitle(pht('Expired File'))
->setTitle(pht('File Link Has Expired'))
->appendParagraph(
pht(
'The link you followed to view this file is invalid or '.
'expired.'))
->appendParagraph(
pht(
'Continue to generate a new link to the file. You may be '.
'required to log in.'))
->addCancelButton(
$acquire_token_uri,
pht('Continue'));
// Build an explicit response so we can respond with HTTP/403 instead
// of HTTP/200.
$response = id(new AphrontDialogResponse())
->setDialog($dialog)
->setHTTPResponseCode(403);
return $response;
}
// return the file data without cache headers
$cache_response = false;
} else if (!$file->getCanCDN()) {
// file cannot be served via cdn, and no token given
// redirect to the main domain to aquire a token
// This is marked as an "external" URI because it is fully qualified.
return id(new AphrontRedirectResponse())
->setIsExternal(true)
Generate a 403 page with a nice dialog when a file token is invalid Summary: Ref T5685. Currently we just 403 on an invalid token, but we can be a little more helpful. The issues here are: - If we **do** redirect you on this page and something goes wrong, you might get stuck in a redirect loop. - If we **don't** redirect you, copy/pasting the link to someone (or reloading the page) gives them a pretty confusing result, since the link doesn't work any more. Prior to this diff, they get a 403. To mitigate this, do a little better than a bare 403: give them a link to auth and generate a new URI for the file. If this is still confusing, the next best thing I can come up with is something like this: - Put some modulous of the timestamp in the URI. - If the current time is within 2 seconds of the generation time, show this dialog. - Otherwise, redirect. That seems like it would be okay, but I worry that "2" has to be small (so links you copy/paste -> chat -> click still work) and a small value means that a small amount of clock skew breaks things. We could use the database clock, but ehhh. Other ideas: - Put a hash of the remote IP in the URI, redirect if it doesn't match. Fails for companies behind a NAT gateway but should work in a lot of other cases. - Just redirect always, there's no reason it should ever loop and browsers don't really do anything bad when there's a loop (they'll show an error after too many redirects). I'm leaning toward letting this stabilize in the wild for a bit, then trying "always redirect". Test Plan: {F188914} Reviewers: btrahan, 20after4 Reviewed By: 20after4 Subscribers: epriestley Maniphest Tasks: T5685 Differential Revision: https://secure.phabricator.com/D10215
2014-08-11 18:39:25 +02:00
->setURI($acquire_token_uri);
}
}
$data = $file->loadFileData();
$response = new AphrontFileResponse();
$response->setContent($data);
if ($cache_response) {
$response->setCacheDurationInSeconds(60 * 60 * 24 * 30);
}
// NOTE: It's important to accept "Range" requests when playing audio.
// If we don't, Safari has difficulty figuring out how long sounds are
// and glitches when trying to loop them. In particular, Safari sends
// an initial request for bytes 0-1 of the audio file, and things go south
// if we can't respond with a 206 Partial Content.
$range = $request->getHTTPHeader('range');
if ($range) {
$matches = null;
if (preg_match('/^bytes=(\d+)-(\d+)$/', $range, $matches)) {
$response->setHTTPResponseCode(206);
$response->setRange((int)$matches[1], (int)$matches[2]);
}
} else if (isset($validated_token)) {
// consume the one-time token if we have one.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$validated_token->delete();
unset($unguarded);
}
$is_viewable = $file->isViewableInBrowser();
$force_download = $request->getExists('download');
if ($is_viewable && !$force_download) {
$response->setMimeType($file->getViewableMimeType());
} else {
if (!$request->isHTTPPost() && !$alt_domain) {
// NOTE: Require POST to download files from the primary domain. We'd
// rather go full-bore and do a real CSRF check, but can't currently
// authenticate users on the file domain. This should blunt any
// attacks based on iframes, script tags, applet tags, etc., at least.
// Send the user to the "info" page if they're using some other method.
// This is marked as "external" because it is fully qualified.
return id(new AphrontRedirectResponse())
->setIsExternal(true)
->setURI(PhabricatorEnv::getProductionURI($file->getBestURI()));
}
$response->setMimeType($file->getMimeType());
$response->setDownload($file->getName());
}
return $response;
}
/**
* Add passthrough parameters to the URI so they aren't lost when we
* redirect to acquire tokens.
*/
private function addURIParameters(PhutilURI $uri) {
$request = $this->getRequest();
if ($request->getBool('download')) {
$uri->setQueryParam('download', 1);
}
return $uri;
}
}