Page MenuHomePhabricator
Differential D15654

Don't require POST to download LFS files from main domain
ClosedPublic
Actions

Authored by epriestley on Apr 7 2016, 3:50 PM.
Tags
None
Referenced Files
F18788939: D15654.diff
Wed, Oct 15, 7:10 AM
F18668985: D15654.diff
Wed, Sep 24, 5:40 PM
F18634146: D15654.id37726.diff
Sep 16 2025, 9:42 PM
F18601426: D15654.diff
Sep 13 2025, 12:29 PM
F18591986: D15654.diff
Sep 12 2025, 10:58 AM
F18462519: D15654.id37725.diff
Sep 1 2025, 10:25 PM
F17921815: D15654.diff
Jul 30 2025, 5:53 AM
Unknown Object (File)
Jun 30 2025, 3:56 AM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T7789: Support Git Large File Storage
Commits
rP37b93f426225: Don't require POST to download LFS files from main domain
Summary

Ref T7789. If you don't have security.alternate-file-domain configured, we won't serve binary files over GET.

This is a security measure intended to prevent <applet src="..." /> attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan

Fetched files over GET with and without the LFS header.

$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 37725.Apr 7 2016, 3:50 PM
epriestley retitled this revision from to Don't require POST to download LFS files from main domain.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
epriestley added a task: T7789: Support Git Large File Storage.
chad accepted this revision.Apr 7 2016, 3:52 PM
chad edited edge metadata.
This revision is now accepted and ready to land.Apr 7 2016, 3:52 PM
Closed by commit rP37b93f426225: Don't require POST to download LFS files from main domain (authored by epriestley, committed by epriestley). · Explain WhyApr 7 2016, 3:55 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
diffusion/
controller/
1 line
files/
controller/
5 lines

Diff 37726

View Options

src/applications/diffusion/controller/DiffusionServeController.php

Loading...
View Options

src/applications/files/controller/PhabricatorFileDataController.php

Loading...
Phabricator · Built by Phacility