Page MenuHomePhabricator

Don't require POST to download LFS files from main domain
ClosedPublic

Authored by epriestley on Apr 7 2016, 3:50 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 13, 11:16 PM
Unknown Object (File)
Fri, Nov 29, 5:44 AM
Unknown Object (File)
Wed, Nov 27, 10:09 PM
Unknown Object (File)
Nov 17 2024, 12:35 PM
Unknown Object (File)
Nov 16 2024, 10:18 AM
Unknown Object (File)
Oct 29 2024, 4:44 AM
Unknown Object (File)
Oct 29 2024, 4:44 AM
Unknown Object (File)
Oct 29 2024, 4:44 AM
Subscribers
None

Details

Summary

Ref T7789. If you don't have security.alternate-file-domain configured, we won't serve binary files over GET.

This is a security measure intended to prevent <applet src="..." /> attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan

Fetched files over GET with and without the LFS header.

$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...

Diff Detail

Repository
rP Phabricator
Branch
lfs15
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 11588
Build 14482: Run Core Tests
Build 14481: arc lint + arc unit

Event Timeline

epriestley retitled this revision from to Don't require POST to download LFS files from main domain.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.Apr 7 2016, 3:52 PM
This revision was automatically updated to reflect the committed changes.