2011-05-22 20:55:10 +02:00
|
|
|
<?php
|
|
|
|
|
2012-03-10 00:46:25 +01:00
|
|
|
final class PhabricatorFileDropUploadController
|
|
|
|
extends PhabricatorFileController {
|
2011-05-22 20:55:10 +02:00
|
|
|
|
2013-06-24 17:21:42 +02:00
|
|
|
/**
|
|
|
|
* @phutil-external-symbol class PhabricatorStartup
|
|
|
|
*/
|
2011-05-22 20:55:10 +02:00
|
|
|
public function processRequest() {
|
|
|
|
$request = $this->getRequest();
|
2011-07-08 06:17:00 +02:00
|
|
|
$user = $request->getUser();
|
2011-05-22 20:55:10 +02:00
|
|
|
|
Prevent CSRF uploads via /file/dropupload/
Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.
In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.
Test Plan:
- Drop-uploaded files to Files, Maniphest, Phriction and Differential.
- Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form
submissions don't work.
Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758
2011-08-02 05:23:01 +02:00
|
|
|
// NOTE: Throws if valid CSRF token is not present in the request.
|
|
|
|
$request->validateCSRF();
|
|
|
|
|
2013-06-24 17:21:42 +02:00
|
|
|
$data = PhabricatorStartup::getRawInput();
|
2011-05-22 20:55:10 +02:00
|
|
|
$name = $request->getStr('name');
|
|
|
|
|
2012-05-07 15:17:00 +02:00
|
|
|
$file = PhabricatorFile::newFromXHRUpload(
|
2011-05-22 20:55:10 +02:00
|
|
|
$data,
|
|
|
|
array(
|
|
|
|
'name' => $request->getStr('name'),
|
2011-07-08 06:17:00 +02:00
|
|
|
'authorPHID' => $user->getPHID(),
|
2013-03-22 12:59:50 +01:00
|
|
|
'isExplicitUpload' => true,
|
2011-05-22 20:55:10 +02:00
|
|
|
));
|
|
|
|
|
|
|
|
return id(new AphrontAjaxResponse())->setContent(
|
|
|
|
array(
|
2011-07-30 01:01:59 +02:00
|
|
|
'id' => $file->getID(),
|
2011-05-22 20:55:10 +02:00
|
|
|
'phid' => $file->getPHID(),
|
2011-07-30 01:01:59 +02:00
|
|
|
'uri' => $file->getBestURI(),
|
2011-05-22 20:55:10 +02:00
|
|
|
));
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|