1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 02:12:41 +01:00
phorge-phorge/src/aphront
epriestley 549146bc7c Move ALL files to serve from the alternate file domain, not just files without
"Content-Disposition: attachment"

Summary:
We currently serve some files off the primary domain (with "Content-Disposition:
attachment" + a CSRF check) and some files off the alternate domain (without
either).

This is not sufficient, because some UAs (like the iPad) ignore
"Content-Disposition: attachment". So there's an attack that goes like this:

	- Alice uploads xss.html
	- Alice says to Bob "hey download this file on your iPad"
        - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd.

NOTE: This removes the CSRF check for downloading files. The check is nice to
have but only raises the barrier to entry slightly. Between iPad / sniffing /
flash bytecode attacks, single-domain installs are simply insecure. We could
restore the check at some point in conjunction with a derived authentication
cookie (i.e., a mini-session-token which is only useful for downloading files),
but that's a lot of complexity to drop all at once.

(Because files are now authenticated only by knowing the PHID and secret key,
this also fixes the "no profile pictures in public feed while logged out"
issue.)

Test Plan: Viewed, info'd, and downloaded files

Reviewers: btrahan, arice, alok

Reviewed By: arice

CC: aran, epriestley

Maniphest Tasks: T843

Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 14:52:27 -08:00
..
applicationconfiguration Automatically redirect 404's that wouldn't be 404s if they had a trailing slash 2011-04-04 10:29:46 -07:00
console Minor, fix number_format() warning. 2012-01-05 09:09:36 -08:00
controller Modularize oauth. 2011-02-27 20:38:11 -08:00
default Move ALL files to serve from the alternate file domain, not just files without 2012-02-14 14:52:27 -08:00
exception Fix conservative CSRF token cycling limit 2011-07-14 08:09:40 -07:00
mapper Import some code, some of which may be relevant to the project. 2011-01-17 19:31:39 -08:00
request Improve error message for Conduit path problems 2012-01-16 11:48:21 -08:00
response Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
sink Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks 2012-02-14 14:51:51 -08:00
writeguard Create AphrontWriteGuard, a backup mechanism for CSRF validation 2011-08-16 13:29:57 -07:00