Page MenuHomePhabricator

Don't require POST to download LFS files from main domain

Authored by epriestley on Apr 7 2016, 3:50 PM.



Ref T7789. If you don't have security.alternate-file-domain configured, we won't serve binary files over GET.

This is a security measure intended to prevent <applet src="..." /> attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan

Fetched files over GET with and without the LFS header.

$ curl -v > /dev/null
HTTP 302 Redirect
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' > /dev/null
HTTP 200 Content

Diff Detail

rP Phabricator
Lint Not Applicable
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Don't require POST to download LFS files from main domain.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.Apr 7 2016, 3:52 PM
This revision was automatically updated to reflect the committed changes.