Changeset View
Changeset View
Standalone View
Standalone View
src/applications/files/controller/PhabricatorFileDataController.php
Show First 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | public function processRequest() { | ||||
} | } | ||||
$is_viewable = $file->isViewableInBrowser(); | $is_viewable = $file->isViewableInBrowser(); | ||||
$force_download = $request->getExists('download'); | $force_download = $request->getExists('download'); | ||||
if ($is_viewable && !$force_download) { | if ($is_viewable && !$force_download) { | ||||
$response->setMimeType($file->getViewableMimeType()); | $response->setMimeType($file->getViewableMimeType()); | ||||
} else { | } else { | ||||
if (!$request->isHTTPPost()) { | if (!$request->isHTTPPost() && !$alt_domain) { | ||||
// NOTE: Require POST to download files. We'd rather go full-bore and | // NOTE: Require POST to download files from the primary domain. We'd | ||||
// do a real CSRF check, but can't currently authenticate users on the | // rather go full-bore and do a real CSRF check, but can't currently | ||||
// file domain. This should blunt any attacks based on iframes, script | // authenticate users on the file domain. This should blunt any | ||||
// tags, applet tags, etc., at least. Send the user to the "info" page | // attacks based on iframes, script tags, applet tags, etc., at least. | ||||
// if they're using some other method. | // Send the user to the "info" page if they're using some other method. | ||||
hach-que: Users will already be on the alt domain if it's present due to the redirect above. | |||||
return id(new AphrontRedirectResponse()) | return id(new AphrontRedirectResponse()) | ||||
->setURI(PhabricatorEnv::getProductionURI($file->getBestURI())); | ->setURI(PhabricatorEnv::getProductionURI($file->getBestURI())); | ||||
} | } | ||||
$response->setMimeType($file->getMimeType()); | $response->setMimeType($file->getMimeType()); | ||||
$response->setDownload($file->getName()); | $response->setDownload($file->getName()); | ||||
} | } | ||||
return $response; | return $response; | ||||
} | } | ||||
} | } |
Users will already be on the alt domain if it's present due to the redirect above.