revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-04-03 16:08:19 +02:00
Code Issues Releases Wiki Activity

Fix CSRF issue with image proxying

Browse source 
Summary: This got caught in the CSRF filter but is a safe write.

Test Plan: Pasted the URI for a picture of a goat into a diff, saw a goat.

Reviewers: aran, jungejason

Reviewed By: aran

CC: aran

Differential Revision: 910
This commit is contained in:
epriestley 2011-09-08 14:09:25 -07:00
parent 8f772929ac
commit 63e96703d8
2 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/applications/files/controller/proxy/PhabricatorFileProxyController.php
View file

@ -34,6 +34,10 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
$uri); $uri);
if (!$proxy) { if (!$proxy) {
// This write is fine to skip CSRF checks for, we're just building a
// cache of some remote image.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$file = PhabricatorFile::newFromFileDownload( $file = PhabricatorFile::newFromFileDownload(
$uri, $uri,
nonempty(basename($uri), 'proxied-file')); nonempty(basename($uri), 'proxied-file'));
@ -43,6 +47,8 @@ class PhabricatorFileProxyController extends PhabricatorFileController {
$proxy->setFilePHID($file->getPHID()); $proxy->setFilePHID($file->getPHID());
$proxy->save(); $proxy->save();
} }
unset($unguarded);
} }
if ($proxy) { if ($proxy) {

1
src/applications/files/controller/proxy/__init__.php
View file

@ -8,6 +8,7 @@
phutil_require_module('phabricator', 'aphront/response/400'); phutil_require_module('phabricator', 'aphront/response/400');
phutil_require_module('phabricator', 'aphront/response/redirect'); phutil_require_module('phabricator', 'aphront/response/redirect');
phutil_require_module('phabricator', 'aphront/writeguard');
phutil_require_module('phabricator', 'applications/files/controller/base'); phutil_require_module('phabricator', 'applications/files/controller/base');
phutil_require_module('phabricator', 'applications/files/storage/file'); phutil_require_module('phabricator', 'applications/files/storage/file');
phutil_require_module('phabricator', 'applications/files/storage/proxyimage'); phutil_require_module('phabricator', 'applications/files/storage/proxyimage');