mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-21 14:22:41 +01:00
9777c66576
Summary: Ref T13008. Depends on D18701. The overall goal here is to make turning `enable_post_data_reading` off not break things, so we can run rate limiting checks before we read file uploads. The biggest blocker for this is that turning it off stops `$_FILES` from coming into existence. This //appears// to mostly work. Specifically: - Skip the `max_post_size` check when POST is off, since it's meaningless. - Don't read or scrub $_POST at startup when POST is off. - When we rebuild REQUEST and POST before processing requests, do multipart parsing if we need to and rebuild FILES. - Skip the `is_uploaded_file()` check if we built FILES ourselves. This probably breaks a couple of small things, like maybe `__profile__` and other DarkConsole triggers over POST, and probably some other weird stuff. The parsers may also need more work than they've received so far. I also need to verify that this actually works (i.e., lets us run code without reading the request body) but I'll include that in the change where I update the actual rate limiting. Test Plan: - Disabled `enable_post_data_reading`. - Uploaded a file with a vanilla upload form (project profile image). - Uploaded a file with drag and drop. - Used DarkConsole. - Submitted comments. - Created a task. - Browsed around. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13008 Differential Revision: https://secure.phabricator.com/D18702 |
||
|---|---|---|
| .. | ||
| aphlict/server | ||
| bin | ||
| empty | ||
| lint | ||
| phame | ||
| PhabricatorStartup.php | ||