mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-15 11:22:40 +01:00
37b93f4262
Summary: Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET. This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy. Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers. Test Plan: Fetched files over GET with and without the LFS header. ``` $ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 302 Redirect ... ``` ``` $ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 200 Content ... ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T7789 Differential Revision: https://secure.phabricator.com/D15654 |
||
|---|---|---|
| .. | ||
| PhabricatorFileCommentController.php | ||
| PhabricatorFileComposeController.php | ||
| PhabricatorFileController.php | ||
| PhabricatorFileDataController.php | ||
| PhabricatorFileDeleteController.php | ||
| PhabricatorFileDropUploadController.php | ||
| PhabricatorFileEditController.php | ||
| PhabricatorFileIconSetSelectController.php | ||
| PhabricatorFileInfoController.php | ||
| PhabricatorFileListController.php | ||
| PhabricatorFileTransformController.php | ||
| PhabricatorFileTransformListController.php | ||
| PhabricatorFileUploadController.php | ||
| PhabricatorFileUploadDialogController.php | ||