phorge-phorge/src/applications/files/controller/altview/PhabricatorFileAltViewController.php

<?php

/*
 * Copyright 2012 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

class PhabricatorFileAltViewController extends PhabricatorFileController {

  private $phid;
  private $key;

  public function willProcessRequest(array $data) {
    $this->phid = $data['phid'];
    $this->key  = $data['key'];
  }

  public function shouldRequireLogin() {
    return false;
  }

  public function processRequest() {

    $alt = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
    if (!$alt) {
      return new Aphront400Response();
    }

    $request = $this->getRequest();

    $alt_domain = id(new PhutilURI($alt))->getDomain();
    if ($alt_domain != $request->getHost()) {
      return new Aphront400Response();
    }

    $file = id(new PhabricatorFile())->loadOneWhere(
      'phid = %s',
      $this->phid);
    if (!$file) {
      return new Aphront404Response();
    }

    if (!$file->validateSecretKey($this->key)) {
      return new Aphront403Response();
    }

    // It's safe to bypass view restrictions because we know we are being served
    // off an alternate domain which we will not set cookies on.

    $data = $file->loadFileData();
    $response = new AphrontFileResponse();
    $response->setContent($data);
    $response->setMimeType($file->getMimeType());
    $response->setCacheDurationInSeconds(60 * 60 * 24 * 30);

    return $response;
  }
}
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760 2011-08-02 07:24:00 +02:00			`<?php`

			`/*`
Send 403 for admin pages without being admin Summary: I've also moved the response generation for 404 from ##AphrontDefaultApplicationConfiguration## to ##buildResponseString()## Test Plan: Visit / Visit /mail/ Visit /x/ Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, vrana Differential Revision: https://secure.phabricator.com/D1406 2012-01-15 10:07:56 +01:00			`* Copyright 2012 Facebook, Inc.`
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760 2011-08-02 07:24:00 +02:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`class PhabricatorFileAltViewController extends PhabricatorFileController {`

			`private $phid;`
			`private $key;`

			`public function willProcessRequest(array $data) {`
			`$this->phid = $data['phid'];`
			`$this->key = $data['key'];`
			`}`

			`public function shouldRequireLogin() {`
			`return false;`
			`}`

			`public function processRequest() {`

			`$alt = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');`
			`if (!$alt) {`
			`return new Aphront400Response();`
			`}`

			`$request = $this->getRequest();`

			`$alt_domain = id(new PhutilURI($alt))->getDomain();`
			`if ($alt_domain != $request->getHost()) {`
			`return new Aphront400Response();`
			`}`

			`$file = id(new PhabricatorFile())->loadOneWhere(`
			`'phid = %s',`
			`$this->phid);`
			`if (!$file) {`
			`return new Aphront404Response();`
			`}`

			`if (!$file->validateSecretKey($this->key)) {`
Send 403 for admin pages without being admin Summary: I've also moved the response generation for 404 from ##AphrontDefaultApplicationConfiguration## to ##buildResponseString()## Test Plan: Visit / Visit /mail/ Visit /x/ Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, vrana Differential Revision: https://secure.phabricator.com/D1406 2012-01-15 10:07:56 +01:00			`return new Aphront403Response();`
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760 2011-08-02 07:24:00 +02:00			`}`

			`// It's safe to bypass view restrictions because we know we are being served`
			`// off an alternate domain which we will not set cookies on.`

			`$data = $file->loadFileData();`
			`$response = new AphrontFileResponse();`
			`$response->setContent($data);`
Use a proper entropy source to generate file keys Summary: See T549. Under configurations where files are served from an alternate domain which does not have cookie credentials, we use random keys to prevent browsing, similar to how Facebook relies on pseudorandom information in image URIs (we could some day go farther than this and generate file sessions on the alternate domain or something, I guess). Currently, we generate these random keys in a roundabout manner. Instead, use a real entropy source and store the key on the object. This reduces the number of sha1() calls in the codebase as per T547. Test Plan: Ran upgrade scripts, verified database was populated correctly. Configured alternate file domain, uploaded file, verified secret generated and worked properly. Changed secret, was given 404. Reviewers: jungejason, benmathews, nh, tuomaspelkonen, aran Reviewed By: aran CC: aran, epriestley Differential Revision: 1036 2011-10-23 22:50:10 +02:00			`$response->setMimeType($file->getMimeType());`
Provide a setting which forces all file views to be served from an alternate domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760 2011-08-02 07:24:00 +02:00			`$response->setCacheDurationInSeconds(60 * 60 * 24 * 30);`

			`return $response;`
			`}`
			`}`