mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-25 06:50:55 +01:00
Allow only CDN routes when using security.alternate-file-domain
Summary: Instead of allowing all routes based on security.alternate-file-domain, now, when security.alternate-file-domain is set, and the request matches this domain, requests are validated against an explicit list. Allowed routes: - /res/ - /file/data/ - /file/xform/ - /phame/r/ This will be redone by T5702 to be less of a hack. Test Plan: - browse around (incl. Phame live) to make sure there is no regression from this when security.alternate-file-domain is not used. - check that celerity resources and files (incl. previews) are served with security.alternate-file-domain set. - check that phame live blog is serving its css correctly with security.alternate-file-domain set. - check that requests outside of the whitelist generate an exception for security.alternate-file-domain Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley, Korvin Differential Revision: https://secure.phabricator.com/D10048
This commit is contained in:
parent
51b5bf1e67
commit
c006cca9b1
1 changed files with 18 additions and 1 deletions
|
@ -113,11 +113,17 @@ abstract class AphrontApplicationConfiguration {
|
||||||
array(
|
array(
|
||||||
$base_uri,
|
$base_uri,
|
||||||
$prod_uri,
|
$prod_uri,
|
||||||
$file_uri,
|
|
||||||
),
|
),
|
||||||
$conduit_uris,
|
$conduit_uris,
|
||||||
$allowed_uris);
|
$allowed_uris);
|
||||||
|
|
||||||
|
$cdn_routes = array(
|
||||||
|
'/res/',
|
||||||
|
'/file/data/',
|
||||||
|
'/file/xform/',
|
||||||
|
'/phame/r/',
|
||||||
|
);
|
||||||
|
|
||||||
$host_match = false;
|
$host_match = false;
|
||||||
foreach ($uris as $uri) {
|
foreach ($uris as $uri) {
|
||||||
if ($host === id(new PhutilURI($uri))->getDomain()) {
|
if ($host === id(new PhutilURI($uri))->getDomain()) {
|
||||||
|
@ -126,6 +132,17 @@ abstract class AphrontApplicationConfiguration {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!$host_match) {
|
||||||
|
if ($host === id(new PhutilURI($file_uri))->getDomain()) {
|
||||||
|
foreach ($cdn_routes as $route) {
|
||||||
|
if (strncmp($path, $route, strlen($route)) == 0) {
|
||||||
|
$host_match = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// NOTE: If the base URI isn't defined yet, don't activate alternate
|
// NOTE: If the base URI isn't defined yet, don't activate alternate
|
||||||
// domains.
|
// domains.
|
||||||
if ($base_uri && !$host_match) {
|
if ($base_uri && !$host_match) {
|
||||||
|
|
Loading…
Reference in a new issue