Changeset View
Changeset View
Standalone View
Standalone View
src/applications/files/controller/PhabricatorFileDataController.php
| Show First 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | public function processRequest() { | ||||
| } | } | ||||
| $is_viewable = $file->isViewableInBrowser(); | $is_viewable = $file->isViewableInBrowser(); | ||||
| $force_download = $request->getExists('download'); | $force_download = $request->getExists('download'); | ||||
| if ($is_viewable && !$force_download) { | if ($is_viewable && !$force_download) { | ||||
| $response->setMimeType($file->getViewableMimeType()); | $response->setMimeType($file->getViewableMimeType()); | ||||
| } else { | } else { | ||||
| if (!$request->isHTTPPost()) { | if (!$request->isHTTPPost() && !$alt_domain) { | ||||
| // NOTE: Require POST to download files. We'd rather go full-bore and | // NOTE: Require POST to download files from the primary domain. We'd | ||||
| // do a real CSRF check, but can't currently authenticate users on the | // rather go full-bore and do a real CSRF check, but can't currently | ||||
| // file domain. This should blunt any attacks based on iframes, script | // authenticate users on the file domain. This should blunt any | ||||
| // tags, applet tags, etc., at least. Send the user to the "info" page | // attacks based on iframes, script tags, applet tags, etc., at least. | ||||
| // if they're using some other method. | // Send the user to the "info" page if they're using some other method. | ||||
hach-que: Users will already be on the alt domain if it's present due to the redirect above. | |||||
| return id(new AphrontRedirectResponse()) | return id(new AphrontRedirectResponse()) | ||||
| ->setURI(PhabricatorEnv::getProductionURI($file->getBestURI())); | ->setURI(PhabricatorEnv::getProductionURI($file->getBestURI())); | ||||
| } | } | ||||
| $response->setMimeType($file->getMimeType()); | $response->setMimeType($file->getMimeType()); | ||||
| $response->setDownload($file->getName()); | $response->setDownload($file->getName()); | ||||
| } | } | ||||
| return $response; | return $response; | ||||
| } | } | ||||
| } | } | ||||
Users will already be on the alt domain if it's present due to the redirect above.