mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-19 20:10:55 +01:00
37b93f4262
Summary: Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET. This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy. Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers. Test Plan: Fetched files over GET with and without the LFS header. ``` $ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 302 Redirect ... ``` ``` $ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 200 Content ... ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T7789 Differential Revision: https://secure.phabricator.com/D15654 |
||
---|---|---|
.. | ||
PhabricatorFileCommentController.php | ||
PhabricatorFileComposeController.php | ||
PhabricatorFileController.php | ||
PhabricatorFileDataController.php | ||
PhabricatorFileDeleteController.php | ||
PhabricatorFileDropUploadController.php | ||
PhabricatorFileEditController.php | ||
PhabricatorFileIconSetSelectController.php | ||
PhabricatorFileInfoController.php | ||
PhabricatorFileListController.php | ||
PhabricatorFileTransformController.php | ||
PhabricatorFileTransformListController.php | ||
PhabricatorFileUploadController.php | ||
PhabricatorFileUploadDialogController.php |