1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 00:32:42 +01:00

Use predictable filenames when downloading raw diffs from a revision

Summary:
To prevent spammers from abusing this feature on a public server, do not include query parameters in the generated filenames. See <d8bb7d91b7>.

Ref T15665.

Test Plan: Download raw diff from a revision and check filename in URL.

Reviewers: O1 Blessed Committers, valerio.bozzolan

Reviewed By: O1 Blessed Committers, valerio.bozzolan

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Maniphest Tasks: T15665

Differential Revision: https://we.phorge.it/D25478

Signed-off-by: Zero King <l2dy@icloud.com>
This commit is contained in:
David Lawrence 2023-08-29 14:25:33 -04:00 committed by Zero King
parent 179f866deb
commit 10a3f4fa19

View file

@ -1090,20 +1090,13 @@ final class DifferentialRevisionViewController
$request_uri = $this->getRequest()->getRequestURI(); $request_uri = $this->getRequest()->getRequestURI();
// this ends up being something like // Filename ends up being something like D123.1692295858.diff
// D123.diff // This discards some options in the query string that may affect the diff
// or the verbose // response, but is intentional to avoid spammy titles from bot requests.
// D123.vs123.id123.highlightjs.diff $timestamp =
// lame but nice to include these options PhabricatorTime::getNow() +
$file_name = ltrim($request_uri->getPath(), '/').'.'; phutil_units('24 hours in seconds');
foreach ($request_uri->getQueryParamsAsPairList() as $pair) { $file_name = ltrim($request_uri->getPath(), '/').'.'.$timestamp.'.diff';
list($key, $value) = $pair;
if ($key == 'download') {
continue;
}
$file_name .= $key.$value.'.';
}
$file_name .= 'diff';
$iterator = new ArrayIterator(array($raw_diff)); $iterator = new ArrayIterator(array($raw_diff));