Page MenuHomePhabricator

Unauthorized access to files - security issue
Closed, InvalidPublic


Version info

phabricator f3d8e3832c96040b6319f5f599aa877c2d773c25 (Sun, Aug 14)
arcanist c9337c2ade7c76edc98d27c216ab97fc1e40d01c (Sun, Aug 7)
phutil b6f4e866fdb2c41de23c8e635c7803a09a44e9f4 (Sun, Aug 14)

Steps to Reproduce

  1. System should have User1 (administrator - to create the repo)
  2. Create a new Repo XYZ
  3. Change all policies to Administrator
  4. Add a README file to the same (write, commit and push)
  5. Open the Browse Repository link
  6. Click on the README file
  7. Click on View Raw File
  8. Copy the link and access the link via curl -XGET

Expected Result

If not a Phabricator user,
Should present the login form if accessing via curl

If a Phabricator user but not meeting the access policies,
Prevent Unauthorized Access

If a Phabricator user and meets the access policies,
Let him view the file contents

Actual Result

Displays the content of the file, irrespective of login state

Additional info

Our Global Diffusion policies:

diffusionbug.png (471×1 px, 38 KB)

We have enabled public policies for other applications as well

Event Timeline

This is intentional (and not a security issue), the URI contains a security token valid for 30 days (or until the policy is changed).

See for the current policy.

epriestley added a subscriber: epriestley.

Yes, this is intended behavior. See T10262 for discussion. See T10262#158198 for comparison to other systems, many of which use the same approach to access control for the same reasons.