1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 20:10:55 +01:00
phorge-phorge/src/applications/files/controller
epriestley 37b93f4262 Don't require POST to download LFS files from main domain
Summary:
Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET.

This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan:
Fetched files over GET with and without the LFS header.

```
$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
```

```
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...
```

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7789

Differential Revision: https://secure.phabricator.com/D15654
2016-04-07 08:55:32 -07:00
..
PhabricatorFileCommentController.php Update Files for handleRequest 2015-07-27 09:41:53 -07:00
PhabricatorFileComposeController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileController.php Remove newFromMenu() from SideNav 2016-01-14 05:33:34 -08:00
PhabricatorFileDataController.php Don't require POST to download LFS files from main domain 2016-04-07 08:55:32 -07:00
PhabricatorFileDeleteController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileDropUploadController.php Allow upload of arbitrary text files 2015-07-28 08:04:13 -07:00
PhabricatorFileEditController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileIconSetSelectController.php Convert all calls to 'IconFont' to just 'Icon' 2016-01-27 20:59:27 -08:00
PhabricatorFileInfoController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileListController.php Remove newFromMenu() from SideNav 2016-01-14 05:33:34 -08:00
PhabricatorFileTransformController.php When file transforms race and lose, accept defeat gracefully 2015-05-21 09:42:20 -07:00
PhabricatorFileTransformListController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileUploadController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileUploadDialogController.php Update Files to new UI 2016-04-05 15:58:27 -07:00