mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-22 14:52:41 +01:00
Use predictable filenames when downloading raw diffs from a revision
Summary:
To prevent spammers from abusing this feature on a public server, do not include query parameters in the generated filenames. See <d8bb7d91b7
>.
Ref T15665.
Test Plan: Download raw diff from a revision and check filename in URL.
Reviewers: O1 Blessed Committers, valerio.bozzolan
Reviewed By: O1 Blessed Committers, valerio.bozzolan
Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno
Maniphest Tasks: T15665
Differential Revision: https://we.phorge.it/D25478
Signed-off-by: Zero King <l2dy@icloud.com>
This commit is contained in:
parent
179f866deb
commit
10a3f4fa19
1 changed files with 7 additions and 14 deletions
|
@ -1090,20 +1090,13 @@ final class DifferentialRevisionViewController
|
||||||
|
|
||||||
$request_uri = $this->getRequest()->getRequestURI();
|
$request_uri = $this->getRequest()->getRequestURI();
|
||||||
|
|
||||||
// this ends up being something like
|
// Filename ends up being something like D123.1692295858.diff
|
||||||
// D123.diff
|
// This discards some options in the query string that may affect the diff
|
||||||
// or the verbose
|
// response, but is intentional to avoid spammy titles from bot requests.
|
||||||
// D123.vs123.id123.highlightjs.diff
|
$timestamp =
|
||||||
// lame but nice to include these options
|
PhabricatorTime::getNow() +
|
||||||
$file_name = ltrim($request_uri->getPath(), '/').'.';
|
phutil_units('24 hours in seconds');
|
||||||
foreach ($request_uri->getQueryParamsAsPairList() as $pair) {
|
$file_name = ltrim($request_uri->getPath(), '/').'.'.$timestamp.'.diff';
|
||||||
list($key, $value) = $pair;
|
|
||||||
if ($key == 'download') {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
$file_name .= $key.$value.'.';
|
|
||||||
}
|
|
||||||
$file_name .= 'diff';
|
|
||||||
|
|
||||||
$iterator = new ArrayIterator(array($raw_diff));
|
$iterator = new ArrayIterator(array($raw_diff));
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue