1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Fix CSRF issue with image proxying

Summary: This got caught in the CSRF filter but is a safe write.

Test Plan: Pasted the URI for a picture of a goat into a diff, saw a goat.

Reviewers: aran, jungejason

Reviewed By: aran

CC: aran

Differential Revision: 910
This commit is contained in:
epriestley 2011-09-08 14:09:25 -07:00
parent 8f772929ac
commit 63e96703d8
2 changed files with 7 additions and 0 deletions

View file

@ -34,6 +34,10 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
$uri);
if (!$proxy) {
// This write is fine to skip CSRF checks for, we're just building a
// cache of some remote image.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$file = PhabricatorFile::newFromFileDownload(
$uri,
nonempty(basename($uri), 'proxied-file'));
@ -43,6 +47,8 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
$proxy->setFilePHID($file->getPHID());
$proxy->save();
}
unset($unguarded);
}
if ($proxy) {

View file

@ -8,6 +8,7 @@
phutil_require_module('phabricator', 'aphront/response/400');
phutil_require_module('phabricator', 'aphront/response/redirect');
phutil_require_module('phabricator', 'aphront/writeguard');
phutil_require_module('phabricator', 'applications/files/controller/base');
phutil_require_module('phabricator', 'applications/files/storage/file');
phutil_require_module('phabricator', 'applications/files/storage/proxyimage');