1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 05:50:55 +01:00
No description
Find a file
epriestley 04c07a7a7b Remove the developer-specific CSRF help in phabricator_form()
Summary:
Fixes T4802. For context, see T1921.

Originally (in T1921), a developer ran into an issue where rendering `phabricator_form()` with an absolute URI confusingly dropped CSRF tokens, and it wasn't obvious why. This is a security measure, but at the time it wasn't very clear how all the pieces fit together. To make it more clear, we:

  # expanded the exception text in developer mode to include a description of this issue; and
  # added an exception in developer mode when rendering a form like this.

However, (2) causes some undesirable interactions for file downloads. In particular, if:

  - developer mode is on; and
  - there's no alternate file domain configured; and
  - you try to download a file...

...we produce CDN URIs that are fully-qualified, and you get the exception from (2) above.

This is kind of a mess, and producing fully-qualified CDN URIs in all cases is simple and clear and desirable. To resolve this, just revert (2). We still have the clarification from (1) above and this hasn't caused further issues, so I think that's sufficient. This is a rare issue anyway and not particularly serious or error prone (at worst, a bit confusing and annoying, but hopefully easy to understand and resolve after the changes in (1)).

Test Plan: With develper mode and no alternate file domain, downloaded files from Files.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4802

Differential Revision: https://secure.phabricator.com/D8776
2014-04-15 10:18:41 -07:00
bin Write a very basic string extractor 2014-02-05 11:02:41 -08:00
conf Set celerity.minify true in production environments. 2014-04-10 14:39:05 -07:00
externals Fix phpmailer-lite bug 2014-02-20 17:24:51 -08:00
resources Remove ReleephProjectController 2014-04-14 12:06:56 -07:00
scripts Install PHP mbstring extension on RHEL & friends 2014-04-14 14:59:27 -07:00
src Remove the developer-specific CSRF help in phabricator_form() 2014-04-15 10:18:41 -07:00
support Disable rate limiting by default in general 2014-04-09 11:52:34 -07:00
webroot Remove ReleephProjectController 2014-04-14 12:06:56 -07:00
.arcconfig Updated .arcconfig to match newer style configuration. 2014-02-25 07:48:30 -08:00
.editorconfig Specify config for text editors 2012-11-03 22:34:44 -07:00
.gitignore Rate limit requests by IP 2014-04-08 18:36:21 -07:00
LICENSE Delete license headers from files 2012-11-05 11:16:51 -08:00
NOTICE Increment year. 2013-01-03 05:45:08 -08:00
README Modernize README 2014-01-24 12:28:54 -08:00

Phabricator is an open source collection of web applications which help
software companies build better software.

Phabricator includes applications for:

  - reviewing and auditing source code;
  - hosting and browsing repositories;
  - assembling a party to venture forth;
  - tracking bugs;
  - hiding stuff from coworkers; and
  - also some other things.

You can learn more about the project (and find links to documentation and
resources) here:

  http://phabricator.org/

Phabricator is developed and maintained by Phacility. The first version of
Phabricator was originally built at Facebook.

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.