1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-24 15:52:41 +01:00
phorge-phorge/src/applications/files/storage
epriestley 549146bc7c Move ALL files to serve from the alternate file domain, not just files without
"Content-Disposition: attachment"

Summary:
We currently serve some files off the primary domain (with "Content-Disposition:
attachment" + a CSRF check) and some files off the alternate domain (without
either).

This is not sufficient, because some UAs (like the iPad) ignore
"Content-Disposition: attachment". So there's an attack that goes like this:

	- Alice uploads xss.html
	- Alice says to Bob "hey download this file on your iPad"
        - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd.

NOTE: This removes the CSRF check for downloading files. The check is nice to
have but only raises the barrier to entry slightly. Between iPad / sniffing /
flash bytecode attacks, single-domain installs are simply insecure. We could
restore the check at some point in conjunction with a derived authentication
cookie (i.e., a mini-session-token which is only useful for downloading files),
but that's a lot of complexity to drop all at once.

(Because files are now authenticated only by knowing the PHID and secret key,
this also fixes the "no profile pictures in public feed while logged out"
issue.)

Test Plan: Viewed, info'd, and downloaded files

Reviewers: btrahan, arice, alok

Reviewed By: arice

CC: aran, epriestley

Maniphest Tasks: T843

Differential Revision: https://secure.phabricator.com/D1608
2012-02-14 14:52:27 -08:00
..
base Phabricator file upload application. 2011-01-23 14:04:07 -08:00
file Move ALL files to serve from the alternate file domain, not just files without 2012-02-14 14:52:27 -08:00
imagemacro Image macros for Phabricator! 2011-04-13 20:08:13 -07:00
proxyimage Restore image proxying to Remarkup 2011-05-03 18:49:06 -07:00
storageblob Allow Phabricator storage engines to be extended and configured 2011-07-21 16:44:24 -07:00
transformed Basic image thumbnailing 2011-05-27 09:33:33 -07:00