2011-01-23 03:33:00 +01:00
|
|
|
<?php
|
|
|
|
|
Move ALL files to serve from the alternate file domain, not just files without
"Content-Disposition: attachment"
Summary:
We currently serve some files off the primary domain (with "Content-Disposition:
attachment" + a CSRF check) and some files off the alternate domain (without
either).
This is not sufficient, because some UAs (like the iPad) ignore
"Content-Disposition: attachment". So there's an attack that goes like this:
- Alice uploads xss.html
- Alice says to Bob "hey download this file on your iPad"
- Bob clicks "Download" on Phabricator on his iPad, gets XSS'd.
NOTE: This removes the CSRF check for downloading files. The check is nice to
have but only raises the barrier to entry slightly. Between iPad / sniffing /
flash bytecode attacks, single-domain installs are simply insecure. We could
restore the check at some point in conjunction with a derived authentication
cookie (i.e., a mini-session-token which is only useful for downloading files),
but that's a lot of complexity to drop all at once.
(Because files are now authenticated only by knowing the PHID and secret key,
this also fixes the "no profile pictures in public feed while logged out"
issue.)
Test Plan: Viewed, info'd, and downloaded files
Reviewers: btrahan, arice, alok
Reviewed By: arice
CC: aran, epriestley
Maniphest Tasks: T843
Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 23:52:27 +01:00
|
|
|
final class PhabricatorFileInfoController extends PhabricatorFileController {
|
2011-01-23 03:33:00 +01:00
|
|
|
|
|
|
|
private $phid;
|
|
|
|
|
|
|
|
public function willProcessRequest(array $data) {
|
|
|
|
$this->phid = $data['phid'];
|
|
|
|
}
|
|
|
|
|
|
|
|
public function processRequest() {
|
Use phabricator_ time functions in more places
Summary:
Replace some more date() calls with locale-aware calls.
Also, at least on my system, the DateTimeZone / DateTime stuff didn't actually
work and always rendered in UTC. Fixed that.
Test Plan:
Viewed daemon console, differential revisions, files, and maniphest timestamps
in multiple timezones.
Reviewed By: toulouse
Reviewers: toulouse, fratrik, jungejason, aran, tuomaspelkonen
CC: aran, toulouse
Differential Revision: 530
2011-06-26 18:22:52 +02:00
|
|
|
$request = $this->getRequest();
|
|
|
|
$user = $request->getUser();
|
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$file = id(new PhabricatorFileQuery())
|
|
|
|
->setViewer($user)
|
|
|
|
->withPHIDs(array($this->phid))
|
|
|
|
->executeOne();
|
|
|
|
|
2011-01-23 03:33:00 +01:00
|
|
|
if (!$file) {
|
|
|
|
return new Aphront404Response();
|
|
|
|
}
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$this->loadHandles(array($file->getAuthorPHID()));
|
|
|
|
|
|
|
|
$phid = $file->getPHID();
|
|
|
|
|
|
|
|
$crumbs = $this->buildApplicationCrumbs();
|
|
|
|
$crumbs->addCrumb(
|
|
|
|
id(new PhabricatorCrumbView())
|
|
|
|
->setName('F'.$file->getID())
|
|
|
|
->setHref($this->getApplicationURI("/info/{$phid}/")));
|
|
|
|
|
|
|
|
$header = id(new PhabricatorHeaderView())
|
|
|
|
->setObjectName('F'.$file->getID())
|
|
|
|
->setHeader($file->getName());
|
|
|
|
|
|
|
|
$actions = $this->buildActionView($file);
|
|
|
|
$properties = $this->buildPropertyView($file);
|
|
|
|
|
|
|
|
return $this->buildApplicationPage(
|
|
|
|
array(
|
|
|
|
$crumbs,
|
|
|
|
$header,
|
|
|
|
$actions,
|
|
|
|
$properties,
|
|
|
|
),
|
|
|
|
array(
|
|
|
|
'title' => $file->getName(),
|
|
|
|
'device' => true,
|
|
|
|
));
|
|
|
|
}
|
|
|
|
|
|
|
|
private function buildActionView(PhabricatorFile $file) {
|
|
|
|
$request = $this->getRequest();
|
|
|
|
$user = $request->getUser();
|
2011-07-08 06:17:00 +02:00
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$id = $file->getID();
|
2011-02-22 18:22:57 +01:00
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$view = id(new PhabricatorActionListView())
|
|
|
|
->setUser($user)
|
|
|
|
->setObject($file);
|
2012-01-16 22:26:44 +01:00
|
|
|
|
2011-02-22 18:19:14 +01:00
|
|
|
if ($file->isViewableInBrowser()) {
|
2012-12-17 01:33:24 +01:00
|
|
|
$view->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
|
|
|
->setName(pht('View File'))
|
|
|
|
->setIcon('preview')
|
|
|
|
->setHref($file->getViewURI()));
|
2011-02-22 18:19:14 +01:00
|
|
|
} else {
|
2012-12-17 01:33:24 +01:00
|
|
|
$view->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
|
|
|
->setUser($user)
|
|
|
|
->setRenderAsForm(true)
|
|
|
|
->setName(pht('Download File'))
|
|
|
|
->setIcon('download')
|
|
|
|
->setHref($file->getViewURI()));
|
2012-01-16 22:26:44 +01:00
|
|
|
}
|
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$view->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
|
|
|
->setName(pht('Delete File'))
|
|
|
|
->setIcon('delete')
|
|
|
|
->setHref($this->getApplicationURI("/delete/{$id}/"))
|
|
|
|
->setWorkflow(true));
|
|
|
|
|
|
|
|
return $view;
|
|
|
|
}
|
|
|
|
|
|
|
|
private function buildPropertyView(PhabricatorFile $file) {
|
|
|
|
$request = $this->getRequest();
|
|
|
|
$user = $request->getUser();
|
|
|
|
|
|
|
|
$view = id(new PhabricatorPropertyListView());
|
|
|
|
|
|
|
|
if ($file->getAuthorPHID()) {
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Author'),
|
|
|
|
$this->getHandle($file->getAuthorPHID())->renderLink());
|
2011-02-22 18:19:14 +01:00
|
|
|
}
|
2011-07-30 01:01:59 +02:00
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$view->addProperty(
|
|
|
|
pht('Created'),
|
|
|
|
phabricator_datetime($file->getDateCreated(), $user));
|
|
|
|
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Size'),
|
|
|
|
phabricator_format_bytes($file->getByteSize()));
|
|
|
|
|
|
|
|
$view->addSectionHeader(pht('Technical Details'));
|
|
|
|
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Mime Type'),
|
|
|
|
phutil_escape_html($file->getMimeType()));
|
|
|
|
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Engine'),
|
|
|
|
phutil_escape_html($file->getStorageEngine()));
|
|
|
|
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Format'),
|
|
|
|
phutil_escape_html($file->getStorageFormat()));
|
|
|
|
|
|
|
|
$view->addProperty(
|
|
|
|
pht('Handle'),
|
|
|
|
phutil_escape_html($file->getStorageHandle()));
|
|
|
|
|
|
|
|
if ($file->isViewableInBrowser()) {
|
|
|
|
|
|
|
|
// TODO: Clean this up after Pholio (dark backgrounds, standardization,
|
|
|
|
// etc.)
|
|
|
|
|
|
|
|
$image = phutil_render_tag(
|
|
|
|
'img',
|
2012-01-16 15:54:08 +01:00
|
|
|
array(
|
2012-12-17 01:33:24 +01:00
|
|
|
'src' => $file->getViewURI(),
|
|
|
|
'class' => 'phabricator-property-list-image',
|
2012-01-16 15:54:08 +01:00
|
|
|
));
|
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
$linked_image = phutil_render_tag(
|
|
|
|
'a',
|
|
|
|
array(
|
|
|
|
'href' => $file->getViewURI(),
|
|
|
|
),
|
|
|
|
$image);
|
|
|
|
|
|
|
|
$view->addTextContent($linked_image);
|
2012-01-16 15:54:08 +01:00
|
|
|
}
|
2011-05-22 23:40:51 +02:00
|
|
|
|
2012-12-17 01:33:24 +01:00
|
|
|
return $view;
|
2011-01-23 03:33:00 +01:00
|
|
|
}
|
2012-12-17 01:33:24 +01:00
|
|
|
|
2011-01-23 03:33:00 +01:00
|
|
|
}
|