From 63e96703d808bf1fb928db9ff6b7ef5ed84fa80b Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 8 Sep 2011 14:09:25 -0700
Subject: [PATCH] Fix CSRF issue with image proxying

Summary: This got caught in the CSRF filter but is a safe write.

Test Plan: Pasted the URI for a picture of a goat into a diff, saw a goat.

Reviewers: aran, jungejason

Reviewed By: aran

CC: aran

Differential Revision: 910
---
 .../controller/proxy/PhabricatorFileProxyController.php     | 6 ++++++
 src/applications/files/controller/proxy/__init__.php        | 1 +
 2 files changed, 7 insertions(+)

diff --git a/src/applications/files/controller/proxy/PhabricatorFileProxyController.php b/src/applications/files/controller/proxy/PhabricatorFileProxyController.php
index 3869376b12..760b5c69e3 100644
--- a/src/applications/files/controller/proxy/PhabricatorFileProxyController.php
+++ b/src/applications/files/controller/proxy/PhabricatorFileProxyController.php
@@ -34,6 +34,10 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
       $uri);
 
     if (!$proxy) {
+      // This write is fine to skip CSRF checks for, we're just building a
+      // cache of some remote image.
+      $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
+
       $file = PhabricatorFile::newFromFileDownload(
         $uri,
         nonempty(basename($uri), 'proxied-file'));
@@ -43,6 +47,8 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
         $proxy->setFilePHID($file->getPHID());
         $proxy->save();
       }
+
+      unset($unguarded);
     }
 
     if ($proxy) {
diff --git a/src/applications/files/controller/proxy/__init__.php b/src/applications/files/controller/proxy/__init__.php
index f8c7b15690..be1d269685 100644
--- a/src/applications/files/controller/proxy/__init__.php
+++ b/src/applications/files/controller/proxy/__init__.php
@@ -8,6 +8,7 @@
 
 phutil_require_module('phabricator', 'aphront/response/400');
 phutil_require_module('phabricator', 'aphront/response/redirect');
+phutil_require_module('phabricator', 'aphront/writeguard');
 phutil_require_module('phabricator', 'applications/files/controller/base');
 phutil_require_module('phabricator', 'applications/files/storage/file');
 phutil_require_module('phabricator', 'applications/files/storage/proxyimage');