Changeset View
Changeset View
Standalone View
Standalone View
src/applications/files/controller/PhabricatorFileDataController.php
Show First 20 Lines • Show All 76 Lines • ▼ Show 20 Lines | if ($range) { | ||||
$response->setHTTPResponseCode(206); | $response->setHTTPResponseCode(206); | ||||
$response->setRange($begin, ($end - 1)); | $response->setRange($begin, ($end - 1)); | ||||
} | } | ||||
} | } | ||||
$is_viewable = $file->isViewableInBrowser(); | $is_viewable = $file->isViewableInBrowser(); | ||||
$force_download = $request->getExists('download'); | $force_download = $request->getExists('download'); | ||||
$request_type = $request->getHTTPHeader('X-Phabricator-Request-Type'); | |||||
$is_lfs = ($request_type == 'git-lfs'); | |||||
if ($is_viewable && !$force_download) { | if ($is_viewable && !$force_download) { | ||||
$response->setMimeType($file->getViewableMimeType()); | $response->setMimeType($file->getViewableMimeType()); | ||||
} else { | } else { | ||||
if (!$request->isHTTPPost() && !$is_alternate_domain) { | if (!$request->isHTTPPost() && !$is_alternate_domain && !$is_lfs) { | ||||
// NOTE: Require POST to download files from the primary domain. We'd | // NOTE: Require POST to download files from the primary domain. We'd | ||||
// rather go full-bore and do a real CSRF check, but can't currently | // rather go full-bore and do a real CSRF check, but can't currently | ||||
// authenticate users on the file domain. This should blunt any | // authenticate users on the file domain. This should blunt any | ||||
// attacks based on iframes, script tags, applet tags, etc., at least. | // attacks based on iframes, script tags, applet tags, etc., at least. | ||||
// Send the user to the "info" page if they're using some other method. | // Send the user to the "info" page if they're using some other method. | ||||
// This is marked as "external" because it is fully qualified. | // This is marked as "external" because it is fully qualified. | ||||
return id(new AphrontRedirectResponse()) | return id(new AphrontRedirectResponse()) | ||||
▲ Show 20 Lines • Show All 80 Lines • Show Last 20 Lines |