Unauthorized access to files - security issue
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	exp10r3r
	Aug 19 2016, 6:41 AM

Description

Version info

phabricator f3d8e3832c96040b6319f5f599aa877c2d773c25 (Sun, Aug 14)
arcanist c9337c2ade7c76edc98d27c216ab97fc1e40d01c (Sun, Aug 7)
phutil b6f4e866fdb2c41de23c8e635c7803a09a44e9f4 (Sun, Aug 14)

Steps to Reproduce

System should have User1 (administrator - to create the repo)
Create a new Repo XYZ
Change all policies to Administrator
Add a README file to the same (write, commit and push)
Open the Browse Repository link
Click on the README file
Click on View Raw File
Copy the link and access the link via curl -XGET

Expected Result

If not a Phabricator user,
Should present the login form if accessing via curl

If a Phabricator user but not meeting the access policies,
Prevent Unauthorized Access

If a Phabricator user and meets the access policies,
Let him view the file contents

Actual Result

Displays the content of the file, irrespective of login state

Additional info

Our Global Diffusion policies:

We have enabled public policies for other applications as well

Related Objects

Mentioned Here: T10262: Scramble file secrets when attached objects change their view policies
rARCc9337c2ade7c: (stable) Promote 2016 Week 32
rPHUb6f4e866fdb2: (stable) Promote 2016 Week 33
rPf3d8e3832c96: (stable) Promote 2016 Week 33

Event Timeline

exp10r3r created this task.Aug 19 2016, 6:41 AM

This is intentional (and not a security issue), the URI contains a security token valid for 30 days (or until the policy is changed).

See https://secure.phabricator.com/T10262#168874 for the current policy.

Yes, this is intended behavior. See T10262 for discussion. See T10262#158198 for comparison to other systems, many of which use the same approach to access control for the same reasons.

Unauthorized access to files - security issueClosed, InvalidPublicActions