Page MenuHomePhabricator
Differential D10048

Allow only CDN routes when using security.alternate-file-domain
ClosedPublic
Actions

Authored by bttelle on Jul 25 2014, 1:48 AM.
Tags
None
Referenced Files
F15448103: D10048.id24160.diff
Fri, Mar 28, 3:13 AM
F15444373: D10048.id24161.diff
Thu, Mar 27, 9:20 AM
F15442526: D10048.id.diff
Wed, Mar 26, 11:46 PM
F15441537: D10048.id24172.diff
Wed, Mar 26, 6:41 PM
F15440737: D10048.id24172.diff
Wed, Mar 26, 2:21 PM
F15440692: D10048.diff
Wed, Mar 26, 2:09 PM
F15438521: D10048.id24172.diff
Wed, Mar 26, 1:13 AM
F15436057: D10048.diff
Tue, Mar 25, 11:42 AM
View All Files
Subscribers
epriestley
Korvin

Details

Reviewers
epriestley
Group Reviewers
Blessed Reviewers
Commits
Restricted Diffusion Commit
rPc006cca9b1e9: Allow only CDN routes when using security.alternate-file-domain
Summary

Instead of allowing all routes based on security.alternate-file-domain, now, when security.alternate-file-domain is set, and the request matches this domain, requests are validated against an explicit list. Allowed routes:

  • /res/
  • /file/data/
  • /file/xform/
  • /phame/r/

This will be redone by T5702 to be less of a hack.

Test Plan
  • browse around (incl. Phame live) to make sure there is no regression from this when security.alternate-file-domain is not used.
  • check that celerity resources and files (incl. previews) are served with security.alternate-file-domain set.
  • check that phame live blog is serving its css correctly with security.alternate-file-domain set.
  • check that requests outside of the whitelist generate an exception for security.alternate-file-domain

Diff Detail

Repository
rP Phabricator
Branch
cdnroutes
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 1893
Build 1894: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

bttelle updated this revision to Diff 24160.Jul 25 2014, 1:48 AM
bttelle retitled this revision from to Allow only CDN routes when using security.alternate-file-domain.
bttelle updated this object.
bttelle edited the test plan for this revision. (Show Details)
bttelle added a reviewer: epriestley.
Herald added a reviewer: Blessed Reviewers. · View Herald TranscriptJul 25 2014, 1:48 AM
Herald added subscribers: Korvin, epriestley. · View Herald Transcript
bttelle edited the test plan for this revision. (Show Details)Jul 25 2014, 1:49 AM
bttelle edited edge metadata.
Harbormaster completed remote builds in B1892: Diff 24160.Jul 25 2014, 1:49 AM
bttelle updated this object.Jul 25 2014, 1:51 AM
bttelle added a comment.Jul 25 2014, 1:54 AM

I tested this diff against my own phabricator install with and without secure.alternate-file-domain set.

bttelle edited the test plan for this revision. (Show Details)Jul 25 2014, 2:01 AM
bttelle updated this revision to Diff 24161.Jul 25 2014, 2:14 AM

Normalized indent to two spaces per level.

Harbormaster completed remote builds in B1893: Diff 24161.Jul 25 2014, 2:15 AM
epriestley accepted this revision.Jul 25 2014, 1:39 PM
epriestley edited edge metadata.

This looks correct to me. Thanks!

This revision is now accepted and ready to land.Jul 25 2014, 1:39 PM
epriestley closed this revision.Jul 25 2014, 1:40 PM
epriestley updated this revision to Diff 24172.

Closed by commit rPc006cca9b1e9 (authored by Joseph Battelle <git@bttelle.com>, committed by @epriestley).

Revision Contents
Changeset List

PathSize
src/
aphront/
configuration/
19 lines

Diff 24161

View Options

src/aphront/configuration/AphrontApplicationConfiguration.php

Loading...
Phabricator · Built by Phacility