Page MenuHomePhabricator
Differential D15654

Don't require POST to download LFS files from main domain
ClosedPublic
Actions

Authored by epriestley on Apr 7 2016, 3:50 PM.
Tags
None
Referenced Files
F15517642: D15654.id37725.diff
Sat, Apr 19, 7:22 AM
F15516041: D15654.id.diff
Fri, Apr 18, 3:42 PM
F15513158: D15654.diff
Thu, Apr 17, 4:54 PM
F15485370: D15654.diff
Wed, Apr 9, 11:16 PM
F15450102: D15654.id37726.diff
Fri, Mar 28, 1:59 PM
F15446247: D15654.diff
Thu, Mar 27, 5:57 PM
F15428403: D15654.id37725.diff
Mar 23 2025, 8:07 PM
F15419320: D15654.diff
Mar 21 2025, 5:16 AM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T7789: Support Git Large File Storage
Commits
rP37b93f426225: Don't require POST to download LFS files from main domain
Summary

Ref T7789. If you don't have security.alternate-file-domain configured, we won't serve binary files over GET.

This is a security measure intended to prevent <applet src="..." /> attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan

Fetched files over GET with and without the LFS header.

$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 37725.Apr 7 2016, 3:50 PM
epriestley retitled this revision from to Don't require POST to download LFS files from main domain.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
epriestley added a task: T7789: Support Git Large File Storage.
chad accepted this revision.Apr 7 2016, 3:52 PM
chad edited edge metadata.
This revision is now accepted and ready to land.Apr 7 2016, 3:52 PM
Closed by commit rP37b93f426225: Don't require POST to download LFS files from main domain (authored by epriestley, committed by epriestley). · Explain WhyApr 7 2016, 3:55 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
diffusion/
controller/
1 line
files/
controller/
5 lines

Diff 37726

View Options

src/applications/diffusion/controller/DiffusionServeController.php

Loading...
View Options

src/applications/files/controller/PhabricatorFileDataController.php

Loading...
Phabricator · Built by Phacility