mirror of
https://we.phorge.it/source/phorge.git
synced 2025-02-21 11:09:02 +01:00
37b93f4262
Summary: Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET. This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy. Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers. Test Plan: Fetched files over GET with and without the LFS header. ``` $ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 302 Redirect ... ``` ``` $ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 200 Content ... ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T7789 Differential Revision: https://secure.phabricator.com/D15654 |
||
|---|---|---|
| .. | ||
| application | ||
| capability | ||
| conduit | ||
| config | ||
| controller | ||
| data | ||
| doorkeeper | ||
| edge | ||
| engine | ||
| engineextension | ||
| exception | ||
| garbagecollector | ||
| gitlfs | ||
| herald | ||
| panel | ||
| protocol | ||
| query | ||
| remarkup | ||
| request | ||
| response | ||
| ssh | ||
| symbol | ||
| typeahead | ||
| view | ||
| DiffusionLintSaveRunner.php | ||