mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Fix CSRF issue with image proxying
Summary: This got caught in the CSRF filter but is a safe write. Test Plan: Pasted the URI for a picture of a goat into a diff, saw a goat. Reviewers: aran, jungejason Reviewed By: aran CC: aran Differential Revision: 910
This commit is contained in:
parent
8f772929ac
commit
63e96703d8
2 changed files with 7 additions and 0 deletions
|
@ -34,6 +34,10 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
|
|||
$uri);
|
||||
|
||||
if (!$proxy) {
|
||||
// This write is fine to skip CSRF checks for, we're just building a
|
||||
// cache of some remote image.
|
||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
||||
|
||||
$file = PhabricatorFile::newFromFileDownload(
|
||||
$uri,
|
||||
nonempty(basename($uri), 'proxied-file'));
|
||||
|
@ -43,6 +47,8 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
|
|||
$proxy->setFilePHID($file->getPHID());
|
||||
$proxy->save();
|
||||
}
|
||||
|
||||
unset($unguarded);
|
||||
}
|
||||
|
||||
if ($proxy) {
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
|
||||
phutil_require_module('phabricator', 'aphront/response/400');
|
||||
phutil_require_module('phabricator', 'aphront/response/redirect');
|
||||
phutil_require_module('phabricator', 'aphront/writeguard');
|
||||
phutil_require_module('phabricator', 'applications/files/controller/base');
|
||||
phutil_require_module('phabricator', 'applications/files/storage/file');
|
||||
phutil_require_module('phabricator', 'applications/files/storage/proxyimage');
|
||||
|
|
Loading…
Reference in a new issue