1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-01 03:02:43 +01:00
Commit graph

139 commits

Author SHA1 Message Date
epriestley
b2890eeb0e Add "final" to all Phabricator "Controller" classes
Summary:
These are all unambiguously unextensible. Issues I hit:

  - Maniphest Change/Diff controllers, just consolidated them.
  - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects.
  - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962.

Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, epriestley

Maniphest Tasks: T795

Differential Revision: https://secure.phabricator.com/D1843
2012-03-09 15:46:25 -08:00
vrana
48ab6aa465 Display //no name// for files without name to make the link clickable
Test Plan: /file/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1679
2012-02-23 13:23:04 -08:00
epriestley
549146bc7c Move ALL files to serve from the alternate file domain, not just files without
"Content-Disposition: attachment"

Summary:
We currently serve some files off the primary domain (with "Content-Disposition:
attachment" + a CSRF check) and some files off the alternate domain (without
either).

This is not sufficient, because some UAs (like the iPad) ignore
"Content-Disposition: attachment". So there's an attack that goes like this:

	- Alice uploads xss.html
	- Alice says to Bob "hey download this file on your iPad"
        - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd.

NOTE: This removes the CSRF check for downloading files. The check is nice to
have but only raises the barrier to entry slightly. Between iPad / sniffing /
flash bytecode attacks, single-domain installs are simply insecure. We could
restore the check at some point in conjunction with a derived authentication
cookie (i.e., a mini-session-token which is only useful for downloading files),
but that's a lot of complexity to drop all at once.

(Because files are now authenticated only by knowing the PHID and secret key,
this also fixes the "no profile pictures in public feed while logged out"
issue.)

Test Plan: Viewed, info'd, and downloaded files

Reviewers: btrahan, arice, alok

Reviewed By: arice

CC: aran, epriestley

Maniphest Tasks: T843

Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 14:52:27 -08:00
epriestley
b35ea500cc Allow files to be deleted
Summary:
A couple of people mentioned that they've had users accidentally upload
sensitive files. Allow files to be deleted.

(At some point it might be nice to keep the file handle around and log who
deleted it, but this addresses the immediate problem without needing too much
work.)

Test Plan: Deleted some files.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T780

Differential Revision: https://secure.phabricator.com/D1423
2012-01-16 16:15:18 -08:00
epriestley
025cc1376e Fix a fatal on the file info screen
Summary: D1354 added a query for a possibly-empty list -- only show the table if
there are transformations.

Test Plan: Reloaded a previously-fataling page, no fatals. Viewed a file with
transformations, got a list.

Reviewers: davidreuss, btrahan, jungejason

Reviewed By: davidreuss

CC: aran, davidreuss

Differential Revision: https://secure.phabricator.com/D1414
2012-01-16 07:01:23 -08:00
vrana
9ba4f24e93 Send 403 for admin pages without being admin
Summary: I've also moved the response generation for 404 from
##AphrontDefaultApplicationConfiguration## to ##buildResponseString()##

Test Plan:
Visit /
Visit /mail/
Visit /x/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley, vrana

Differential Revision: https://secure.phabricator.com/D1406
2012-01-15 17:30:23 -08:00
Bob Trahan
84ea5c53e4 Kill PhabricatorFileURI
Summary:
we used to need this function for security purposes, but no longer need
it.   remove it so that some call sites can be optimized via smarter data
fetching, and so the whole codebase can have one less thing in it.

Test Plan:
verified the images displayed properly for each of the following
- viewed a diff with added images.
- viewed a user feed
- viewed a user profile
- viewed all image macros
- viewed a paste and clicked through "raw link"
weakness in testing around proxy files and transformed files.  not sure what
these are.  changes here are very programmatic however.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, btrahan, epriestley

Maniphest Tasks: T672

Differential Revision: https://secure.phabricator.com/D1354
2012-01-10 15:21:39 -08:00
Bob Trahan
128b7584da Files - kill tabs
Summary:
kill tabs for Files application.  Technique is the "filter list" on the left
hand side, with separation for "Files" versus "Image Macros".   UI quirks
include:

- the page title does not change for the 3 files filters while it does change
for each of the two image macro filters.
- standalone "file" pages do not have the filter view
- you can visit /file/upload/ standalone and it doesn't have the pretty filter
list on it

Please do give direction on these quirks if you like.  :)

This change also neuters the ?author= functionality for files.  The code is
written such that it can easily be brought back.

Test Plan: clicked around on the filters, liked what I saw.  uploaded files
fancy-like and basic-like and it worked!  made image macros and it worked!

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, btrahan, epriestley

Maniphest Tasks: T631

Differential Revision: 1219
2011-12-15 14:32:12 -08:00
David Reuss
c724902ca9 Don't fail with no image macros
Summary: .. IN (%Ls) with no file phids fails miserably.

Test Plan:
Went to /file/macro/ with and without patch. An exception is thrown
without it.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: 1063
2011-10-28 08:06:30 -07:00
epriestley
0669abc5f0 Use a proper entropy source to generate file keys
Summary:
See T549. Under configurations where files are served from an alternate domain
which does not have cookie credentials, we use random keys to prevent browsing,
similar to how Facebook relies on pseudorandom information in image URIs (we
could some day go farther than this and generate file sessions on the alternate
domain or something, I guess).

Currently, we generate these random keys in a roundabout manner. Instead, use a
real entropy source and store the key on the object. This reduces the number of
sha1() calls in the codebase as per T547.

Test Plan: Ran upgrade scripts, verified database was populated correctly.
Configured alternate file domain, uploaded file, verified secret generated and
worked properly. Changed secret, was given 404.

Reviewers: jungejason, benmathews, nh, tuomaspelkonen, aran

Reviewed By: aran

CC: aran, epriestley

Differential Revision: 1036
2011-10-23 14:42:23 -07:00
Jason Ge
ce8799176e Add author field to image macro display
Summary:
this is a request from Facebook:
> someone has added macros for common words like 'push', 'lgtm'.
> We want to let he image macro page at least attribute to an owner so
> that we can publicly shame whoever added the 800px 'clowntown' macro.

Test Plan:
test macros with/without author (all macro should have
author. This is just to be safe).

Reviewers: epriestley, nh

Reviewed By: epriestley

CC: hwang, aran, arice, jungejason, epriestley

Differential Revision: 984
2011-10-05 09:51:08 -07:00
epriestley
63e96703d8 Fix CSRF issue with image proxying
Summary: This got caught in the CSRF filter but is a safe write.

Test Plan: Pasted the URI for a picture of a goat into a diff, saw a goat.

Reviewers: aran, jungejason

Reviewed By: aran

CC: aran

Differential Revision: 910
2011-09-13 08:49:16 -07:00
epriestley
6dc193d3d9 Fully update library map. 2011-08-18 09:52:36 -07:00
epriestley
b291ad9807 Unguard thumbnail generation from CSRF. 2011-08-17 14:39:00 -07:00
epriestley
68c30e1a71 Provide a setting which forces all file views to be served from an alternate
domain

Summary:
See D758, D759.

  - Provide a strongly recommended setting which permits configuration of an
alternate domain.
  - Lock cookies down better: set them on the exact domain, and use SSL-only if
the configuration is HTTPS.
  - Prevent Phabriator from setting cookies on other domains.

This assumes D759 will land, it is not effective without that change.

Test Plan:
  - Attempted to login from a different domain and was rejected.
  - Logged out, logged back in normally.
  - Put install in setup mode and verified it revealed a warning.
  - Configured an alterate domain.
  - Tried to view an image with an old URI, got a 400.
  - Went to /files/ and verified links rendered to the alternate domain.
  - Viewed an alternate domain file.
  - Tried to view an alternate domain file without the secret key, got a 404.

Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock
CC: aran
Differential Revision: 760
2011-08-16 13:21:46 -07:00
epriestley
355b753df7 Prevent file download without POST + CSRF
Summary: This prevents <applet /> attacks unless the attacker can upload an
applet which has a viewable MIME type as detected by `file`. I'm not sure if
this is possible or not. It should, at least, narrow the attack window. There
are no real tradeoffs here, this is probably a strictly better application
behavior regardless of the security issues.
Test Plan:
  - Tried to download a file via GET, got redirected to info.
  - Downloaded a file via POST + CSRF from the info page.

Reviewers: andrewjcg, erling, aran, jungejason, tuomaspelkonen
CC: aran
Differential Revision: 759
2011-08-16 13:19:16 -07:00
epriestley
3aa17c7443 Prevent CSRF uploads via /file/dropupload/
Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.

In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.

Test Plan:
  - Drop-uploaded files to Files, Maniphest, Phriction and Differential.
  - Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form
submissions don't work.

Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758
2011-08-16 13:19:10 -07:00
epriestley
90cbf8459c Streamline Files interfaces
Summary:
  - There's no way you can figure out the ID of a file right now. Expose that
more prominently.
  - Put the drag-and-drop uploader on the main page so you don't have to click
through.
  - Restore the basic uploader so IE users can theoretically use the suite I
guess? Added author info to basic uploader.
  - Show author information in the table.
  - Show date information in the table.
  - Link file names.
  - Rename table for filter views.
  - When you upload one file, just jump to it. When you upload multiple files,
jump to your uploads and highlight them.
  - Add an "arc download" hint.

Test Plan: Uploaded single files, groups of files, and files via simple
uploader.
Reviewers: codeblock, jungejason, tuomaspelkonen, aran
Commenters: codeblock
CC: aran, codeblock, epriestley
Differential Revision: 746
2011-07-29 17:56:49 -07:00
epriestley
c33eecf438 Improve DarkConsole "Services" and "XHProf" plugins
Summary:

  - Services: Show summary panel of total service call costs and relative page weight.
  - Services: Add "Analyze Query Plans" button, which issues EXPLAIN for each query and flags problems.
  - XHPRof: iframe the profile.

Test Plan: Used the new query plan analysis to find missing keys causing table scans, see D627.

Reviewers: jungejason, tuomaspelkonen, aran

CC:

Differential Revision: 628
2011-07-11 12:51:58 -07:00
Ricky Elrod
420235f9c4 Drag-drop file upload.
Summary:
- have files be uploaded by drag+drop instead of browse.
- Files are named by their uploaded filename, the user isn't given a chance to enter a file name. Is this bad?
- Store author PHID now with files
- Allow an ?author=<username> to limit the /files/ list by author.
- If one file is uploaded, the user is taken to its info page.
- If several are uploaded, they are taken to a list of their files.

Test Plan:
- Quickly tested everything and it still worked, I'd recommend some people try this out before it gets committed though. It's a rather huge revision.

Reviewers:
epriestley, Ttech

CC:

Differential Revision: 612
2011-07-08 15:20:57 -04:00
epriestley
e0e6ec9117 Allow affiliations to carry project ownership information; transform profile
images correctly

Summary:
This is sort of doing two things at once:

  - Add an "isOwner" flag to Project Affiliation to lay the groundwork for T237.
  - Rename the "QuickCreate" workflow to "Create" and funnel all creation
through it.
  - Reorganize the image transformation stuff and use it to correctly
crop/resize uploaded images.

Test Plan:
Created and edited projects and affailiations. Uploaded project, user, and
profile photos. Verified existing thumbnailing in Maniphest still works
properly.

Reviewed By: cadamo
Reviewers: cadamo, aran, jungejason, tuomaspelkonen
CC: aran, epriestley, cadamo
Differential Revision: 529
2011-06-28 06:40:41 -07:00
epriestley
74d57b0a42 Use phabricator_ time functions in more places
Summary:
Replace some more date() calls with locale-aware calls.

Also, at least on my system, the DateTimeZone / DateTime stuff didn't actually
work and always rendered in UTC. Fixed that.

Test Plan:
Viewed daemon console, differential revisions, files, and maniphest timestamps
in multiple timezones.

Reviewed By: toulouse
Reviewers: toulouse, fratrik, jungejason, aran, tuomaspelkonen
CC: aran, toulouse
Differential Revision: 530
2011-06-26 10:38:25 -07:00
epriestley
f706093933 Support thumbnailing non-image files and straighten out setup for 'gd'
Summary:
Make 'gd' an explicit optional dependency, test for it in setup, and make the
software behave correctly if it is not available.

When generating file thumnails, provide reasonable defaults and behavior for
non-image files.

Test Plan:
Uploaded text files, pdf files, etc., and got real thumbnails instead of a
broken image.

Simulated setup and gd failures and walked through setup process and image
fallback for thumbnails.

Reviewed By: aran
Reviewers: toulouse, jungejason, tuomaspelkonen, aran
CC: aran, epriestley
Differential Revision: 446
2011-06-13 13:49:17 -07:00
epriestley
a63274289c Link macro thumbs and show an exact page count
Summary:
Some of the improvements from T175: link macro thumbnails to the full image, and
pull an exact count out of the database.

Test Plan:
Clicked a thumb, looked at pager.

Reviewed By: tuomaspelkonen
Reviewers: tuomaspelkonen, tomo
CC: aran, tuomaspelkonen
Differential Revision: 397
2011-06-02 17:20:30 -07:00
epriestley
109a202b6c Improve drag-and-drop uploader
Summary:
Make it discoverable, show uploading progress, show file thumbnails, allow you
to remove files, make it a generic form component.

Test Plan:
Uploaded ducks

Reviewed By: tomo
Reviewers: aran, tomo, jungejason, tuomaspelkonen
CC: anjali, aran, epriestley, tomo
Differential Revision: 334
2011-05-27 09:34:29 -07:00
epriestley
8af5bb117d Basic image thumbnailing
Summary:
This is still very rough but provides basic support for generating image
thumbnails. I need to separate stuff out a bit but I'm going to integrate into
Maniphest before I hit the profile stuff so this seems like a reasonable
starting point.

Test Plan:
Generated some image thumbnails in various sizes.

Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran
Differential Revision: 333
2011-05-27 09:33:33 -07:00
epriestley
9f65a5efb8 Drag-and-drop upload for Maniphest
Summary:
This needs a bunch of UI polish (critically, it's totally undiscoverable) but it
basically works correctly. I'll clean it up in some followups.

Test Plan:
Uploaded some files via drag-and-drop, made comments, etc.

Reviewed By: aran
Reviewers: tomo, aran, jungejason, tuomaspelkonen
CC: anjali, aran
Differential Revision: 332
2011-05-22 14:47:04 -07:00
epriestley
03ebbccbc9 Restore image proxying to Remarkup
Summary:
Previously, Remarkup allowed you to paste in an image URI and get an inline
image. However, it did this by hotlinking the image which isn't so hot in an
open source product.

Restore this feature, but use image proxying instead. The existing image macro
code does most of the work.

There is a mild security risk depending on the network setup so I've left this
default-disabled and made a note about it. It should be safe to enable for
Facebook.

Test Plan:
Pasted in image and non-image links, got reasonable behavior. Verified proxying
appears to work. Verified that file:// shenanigans produce 400.

Reviewed By: tuomaspelkonen
Reviewers: aran, jungejason, tuomaspelkonen
Commenters: cpiro
CC: aran, cpiro, tuomaspelkonen
Differential Revision: 214
2011-05-03 18:49:06 -07:00
epriestley
b75960c578 Web editor/browser for image macros
Summary:
Restores the old "pokedex" feature and allows easy definition of new macros.

Only good can come of this!

Critical feature!!

Test Plan:
nyancat

Reviewed By: tuomaspelkonen
Reviewers: aran, bh, tomo, jungejason, tuomaspelkonen
CC: aran, tuomaspelkonen
Differential Revision: 220
2011-05-03 15:50:40 -07:00
epriestley
6229cdadd8 Improve web tools for viewing daemons
Summary:
- Provides an "all daemons" view to look at more than the first 15 daemons.
  - Provides a "combined log" view with a large page size, to quickly look at
the log across all the daemons, making it easier to find issues when you have a
bunch of the same daemon and only one is having issues.
  - When viewing the web console on the same host as a daemon, show whether it's
running or not.

Test Plan:
Clicked the various daemon log interfaces.

Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran
Differential Revision: 215
2011-05-03 06:38:12 -07:00
epriestley
59cd14bc61 Add a pager to "Files"
Summary:
Adds a pager control to the "Files" tool so you can page through files if there
are >100.

Test Plan:
Set page size to a smaller number, paged through files.

Reviewed By: aran
Reviewers: aran, tuomaspelkonen, jungejason
CC: aran
Differential Revision: 211
2011-05-02 13:39:46 -07:00
epriestley
22767b80af Make files coming out of the Files tool cacheable, since this improves
performance (e.g., for profile images) and you need to know a highly entropic
PHID to access a file in the first place, plus installs should generally be
doing HTTPS.
2011-04-11 02:24:39 -07:00
epriestley
361ec78b03 Add missing includes from XHPAST parse bug. 2011-04-06 23:14:58 -07:00
epriestley
21286a723e Lint slop and some cleanup.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-22 09:22:57 -08:00
epriestley
17a4069f01 Security: tighten up the File tool against clowning around.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-22 09:19:14 -08:00
epriestley
e28c2e8899 Profile image stuff 2011-01-31 16:00:42 -08:00
epriestley
29f7219a49 CSRF / Logout 2011-01-30 18:52:29 -08:00
epriestley
ccf7df6093 Authentication 2011-01-26 15:34:20 -08:00
epriestley
0eac30d80d Phabricator file upload application. 2011-01-23 14:04:07 -08:00