Page MenuHomePhabricator
Differential D10048

Allow only CDN routes when using security.alternate-file-domain
ClosedPublic
Actions

Authored by bttelle on Jul 25 2014, 1:48 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 9, 3:09 AM
Unknown Object (File)
Thu, Dec 5, 3:21 PM
Unknown Object (File)
Thu, Dec 5, 2:14 AM
Unknown Object (File)
Tue, Dec 3, 11:23 PM
Unknown Object (File)
Wed, Nov 27, 10:24 PM
Unknown Object (File)
Wed, Nov 20, 9:31 AM
Unknown Object (File)
Nov 16 2024, 3:36 AM
Unknown Object (File)
Nov 12 2024, 11:17 AM
View All Files
Subscribers
epriestley
Korvin

Details

Reviewers
epriestley
Group Reviewers
Blessed Reviewers
Commits
Restricted Diffusion Commit
rPc006cca9b1e9: Allow only CDN routes when using security.alternate-file-domain
Summary

Instead of allowing all routes based on security.alternate-file-domain, now, when security.alternate-file-domain is set, and the request matches this domain, requests are validated against an explicit list. Allowed routes:

  • /res/
  • /file/data/
  • /file/xform/
  • /phame/r/

This will be redone by T5702 to be less of a hack.

Test Plan
  • browse around (incl. Phame live) to make sure there is no regression from this when security.alternate-file-domain is not used.
  • check that celerity resources and files (incl. previews) are served with security.alternate-file-domain set.
  • check that phame live blog is serving its css correctly with security.alternate-file-domain set.
  • check that requests outside of the whitelist generate an exception for security.alternate-file-domain

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

bttelle updated this revision to Diff 24160.Jul 25 2014, 1:48 AM
bttelle retitled this revision from to Allow only CDN routes when using security.alternate-file-domain.
bttelle updated this object.
bttelle edited the test plan for this revision. (Show Details)
bttelle added a reviewer: epriestley.
Herald added a reviewer: Blessed Reviewers. · View Herald TranscriptJul 25 2014, 1:48 AM
Herald added subscribers: Korvin, epriestley. · View Herald Transcript
bttelle edited the test plan for this revision. (Show Details)Jul 25 2014, 1:49 AM
bttelle edited edge metadata.
Harbormaster completed remote builds in B1892: Diff 24160.Jul 25 2014, 1:49 AM
bttelle updated this object.Jul 25 2014, 1:51 AM
bttelle added a comment.Jul 25 2014, 1:54 AM

I tested this diff against my own phabricator install with and without secure.alternate-file-domain set.

bttelle edited the test plan for this revision. (Show Details)Jul 25 2014, 2:01 AM
bttelle updated this revision to Diff 24161.Jul 25 2014, 2:14 AM

Normalized indent to two spaces per level.

Harbormaster completed remote builds in B1893: Diff 24161.Jul 25 2014, 2:15 AM
epriestley accepted this revision.Jul 25 2014, 1:39 PM
epriestley edited edge metadata.

This looks correct to me. Thanks!

This revision is now accepted and ready to land.Jul 25 2014, 1:39 PM
epriestley closed this revision.Jul 25 2014, 1:40 PM
epriestley updated this revision to Diff 24172.

Closed by commit rPc006cca9b1e9 (authored by Joseph Battelle <git@bttelle.com>, committed by @epriestley).

Revision Contents
Changeset List

PathSize
src/
aphront/
configuration/
19 lines

Diff 24172

View Options

src/aphront/configuration/AphrontApplicationConfiguration.php

Loading...
Phabricator · Built by Phacility