revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-24 07:42:40 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/files
History
epriestley 355b753df7 Prevent file download without POST + CSRF 
Summary: This prevents <applet /> attacks unless the attacker can upload an
applet which has a viewable MIME type as detected by `file`. I'm not sure if
this is possible or not. It should, at least, narrow the attack window. There
are no real tradeoffs here, this is probably a strictly better application
behavior regardless of the security issues.
Test Plan:
  - Tried to download a file via GET, got redirected to info.
  - Downloaded a file via POST + CSRF from the info page.

Reviewers: andrewjcg, erling, aran, jungejason, tuomaspelkonen
CC: aran
Differential Revision: 759
2011-08-16 13:19:16 -07:00
..
controller Prevent file download without POST + CSRF 2011-08-16 13:19:16 -07:00
engine Add an Amazon S3 storage engine for Phabricator 2011-08-03 10:58:03 -07:00
engineselector Add an Amazon S3 storage engine for Phabricator 2011-08-03 10:58:03 -07:00
exception/upload Improve error messages when hitting PHP file upload issues 2011-08-16 13:16:41 -07:00
storage Improve error messages when hitting PHP file upload issues 2011-08-16 13:16:41 -07:00
transform Allow affiliations to carry project ownership information; transform profile 2011-06-28 06:40:41 -07:00
uri DifferentialChangesetView 2011-01-24 17:24:40 -08:00