mirror of
https://we.phorge.it/source/phorge.git
synced 2025-03-13 12:54:53 +01:00
241f06c9ff
Summary: Ref T13250. See D20149. Test Plan: All trivial? Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13250 Differential Revision: https://secure.phabricator.com/D20153
227 lines
7.6 KiB
PHP
227 lines
7.6 KiB
PHP
<?php
|
|
|
|
final class PhabricatorFileDataController extends PhabricatorFileController {
|
|
|
|
private $phid;
|
|
private $key;
|
|
private $file;
|
|
|
|
public function shouldRequireLogin() {
|
|
return false;
|
|
}
|
|
|
|
public function shouldAllowPartialSessions() {
|
|
return true;
|
|
}
|
|
|
|
public function handleRequest(AphrontRequest $request) {
|
|
$viewer = $request->getViewer();
|
|
$this->phid = $request->getURIData('phid');
|
|
$this->key = $request->getURIData('key');
|
|
|
|
$alt = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
|
|
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
|
|
$alt_uri = new PhutilURI($alt);
|
|
$alt_domain = $alt_uri->getDomain();
|
|
$req_domain = $request->getHost();
|
|
$main_domain = id(new PhutilURI($base_uri))->getDomain();
|
|
|
|
$request_kind = $request->getURIData('kind');
|
|
$is_download = ($request_kind === 'download');
|
|
|
|
if (!strlen($alt) || $main_domain == $alt_domain) {
|
|
// No alternate domain.
|
|
$should_redirect = false;
|
|
$is_alternate_domain = false;
|
|
} else if ($req_domain != $alt_domain) {
|
|
// Alternate domain, but this request is on the main domain.
|
|
$should_redirect = true;
|
|
$is_alternate_domain = false;
|
|
} else {
|
|
// Alternate domain, and on the alternate domain.
|
|
$should_redirect = false;
|
|
$is_alternate_domain = true;
|
|
}
|
|
|
|
$response = $this->loadFile();
|
|
if ($response) {
|
|
return $response;
|
|
}
|
|
|
|
$file = $this->getFile();
|
|
|
|
if ($should_redirect) {
|
|
return id(new AphrontRedirectResponse())
|
|
->setIsExternal(true)
|
|
->setURI($file->getCDNURI($request_kind));
|
|
}
|
|
|
|
$response = new AphrontFileResponse();
|
|
$response->setCacheDurationInSeconds(60 * 60 * 24 * 30);
|
|
$response->setCanCDN($file->getCanCDN());
|
|
|
|
$begin = null;
|
|
$end = null;
|
|
|
|
// NOTE: It's important to accept "Range" requests when playing audio.
|
|
// If we don't, Safari has difficulty figuring out how long sounds are
|
|
// and glitches when trying to loop them. In particular, Safari sends
|
|
// an initial request for bytes 0-1 of the audio file, and things go south
|
|
// if we can't respond with a 206 Partial Content.
|
|
$range = $request->getHTTPHeader('range');
|
|
if (strlen($range)) {
|
|
list($begin, $end) = $response->parseHTTPRange($range);
|
|
}
|
|
|
|
if (!$file->isViewableInBrowser()) {
|
|
$is_download = true;
|
|
}
|
|
|
|
$request_type = $request->getHTTPHeader('X-Phabricator-Request-Type');
|
|
$is_lfs = ($request_type == 'git-lfs');
|
|
|
|
if (!$is_download) {
|
|
$response->setMimeType($file->getViewableMimeType());
|
|
} else {
|
|
$is_post = $request->isHTTPPost();
|
|
$is_public = !$viewer->isLoggedIn();
|
|
|
|
// NOTE: Require POST to download files from the primary domain. If the
|
|
// request is not a POST request but arrives on the primary domain, we
|
|
// render a confirmation dialog. For discussion, see T13094.
|
|
|
|
// There are two exceptions to this rule:
|
|
|
|
// Git LFS requests can download with GET. This is safe (Git LFS won't
|
|
// execute files it downloads) and necessary to support Git LFS.
|
|
|
|
// Requests with no credentials may also download with GET. This
|
|
// primarily supports downloading files with `arc download` or other
|
|
// API clients. This is only "mostly" safe: if you aren't logged in, you
|
|
// are likely immune to XSS and CSRF. However, an attacker may still be
|
|
// able to set cookies on this domain (for example, to fixate your
|
|
// session). For now, we accept these risks because users running
|
|
// Phabricator in this mode are knowingly accepting a security risk
|
|
// against setup advice, and there's significant value in having
|
|
// API development against test and production installs work the same
|
|
// way.
|
|
|
|
$is_safe = ($is_alternate_domain || $is_post || $is_lfs || $is_public);
|
|
if (!$is_safe) {
|
|
return $this->newDialog()
|
|
->setSubmitURI($file->getDownloadURI())
|
|
->setTitle(pht('Download File'))
|
|
->appendParagraph(
|
|
pht(
|
|
'Download file %s (%s)?',
|
|
phutil_tag('strong', array(), $file->getName()),
|
|
phutil_format_bytes($file->getByteSize())))
|
|
->addCancelButton($file->getURI())
|
|
->addSubmitButton(pht('Download File'));
|
|
}
|
|
|
|
$response->setMimeType($file->getMimeType());
|
|
$response->setDownload($file->getName());
|
|
}
|
|
|
|
$iterator = $file->getFileDataIterator($begin, $end);
|
|
|
|
$response->setContentLength($file->getByteSize());
|
|
$response->setContentIterator($iterator);
|
|
|
|
// In Chrome, we must permit this domain in "object-src" CSP when serving a
|
|
// PDF or the browser will refuse to render it.
|
|
if (!$is_download && $file->isPDF()) {
|
|
$request_uri = id(clone $request->getAbsoluteRequestURI())
|
|
->setPath(null)
|
|
->setFragment(null)
|
|
->removeAllQueryParams();
|
|
|
|
$response->addContentSecurityPolicyURI(
|
|
'object-src',
|
|
(string)$request_uri);
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
|
|
private function loadFile() {
|
|
// Access to files is provided by knowledge of a per-file secret key in
|
|
// the URI. Knowledge of this secret is sufficient to retrieve the file.
|
|
|
|
// For some requests, we also have a valid viewer. However, for many
|
|
// requests (like alternate domain requests or Git LFS requests) we will
|
|
// not. Even if we do have a valid viewer, use the omnipotent viewer to
|
|
// make this logic simpler and more consistent.
|
|
|
|
// Beyond making the policy check itself more consistent, this also makes
|
|
// sure we're consistent about returning HTTP 404 on bad requests instead
|
|
// of serving HTTP 200 with a login page, which can mislead some clients.
|
|
|
|
$viewer = PhabricatorUser::getOmnipotentUser();
|
|
|
|
$file = id(new PhabricatorFileQuery())
|
|
->setViewer($viewer)
|
|
->withPHIDs(array($this->phid))
|
|
->withIsDeleted(false)
|
|
->executeOne();
|
|
|
|
if (!$file) {
|
|
return new Aphront404Response();
|
|
}
|
|
|
|
// We may be on the CDN domain, so we need to use a fully-qualified URI
|
|
// here to make sure we end up back on the main domain.
|
|
$info_uri = PhabricatorEnv::getURI($file->getInfoURI());
|
|
|
|
|
|
if (!$file->validateSecretKey($this->key)) {
|
|
$dialog = $this->newDialog()
|
|
->setTitle(pht('Invalid Authorization'))
|
|
->appendParagraph(
|
|
pht(
|
|
'The link you followed to access this file is no longer '.
|
|
'valid. The visibility of the file may have changed after '.
|
|
'the link was generated.'))
|
|
->appendParagraph(
|
|
pht(
|
|
'You can continue to the file detail page to get more '.
|
|
'information and attempt to access the file.'))
|
|
->addCancelButton($info_uri, pht('Continue'));
|
|
|
|
return id(new AphrontDialogResponse())
|
|
->setDialog($dialog)
|
|
->setHTTPResponseCode(404);
|
|
}
|
|
|
|
if ($file->getIsPartial()) {
|
|
$dialog = $this->newDialog()
|
|
->setTitle(pht('Partial Upload'))
|
|
->appendParagraph(
|
|
pht(
|
|
'This file has only been partially uploaded. It must be '.
|
|
'uploaded completely before you can download it.'))
|
|
->appendParagraph(
|
|
pht(
|
|
'You can continue to the file detail page to monitor the '.
|
|
'upload progress of the file.'))
|
|
->addCancelButton($info_uri, pht('Continue'));
|
|
|
|
return id(new AphrontDialogResponse())
|
|
->setDialog($dialog)
|
|
->setHTTPResponseCode(404);
|
|
}
|
|
|
|
$this->file = $file;
|
|
|
|
return null;
|
|
}
|
|
|
|
private function getFile() {
|
|
if (!$this->file) {
|
|
throw new PhutilInvalidStateException('loadFile');
|
|
}
|
|
return $this->file;
|
|
}
|
|
|
|
}
|