HomePhabricator
Diffusion Phabricator 37b93f426225

Don't require POST to download LFS files from main domain
37b93f426225
Actions

Description

Don't require POST to download LFS files from main domain

Summary:
Ref T7789. If you don't have security.alternate-file-domain configured, we won't serve binary files over GET.

This is a security measure intended to prevent <applet src="..." /> attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy.

Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers.

Test Plan:
Fetched files over GET with and without the LFS header.

$ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 302 Redirect
...
$ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null
...
HTTP 200 Content
...

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7789

Differential Revision: https://secure.phabricator.com/D15654

Details

Provenance
epriestleyAuthored on Apr 7 2016, 3:45 PM
epriestleyPushed on Apr 7 2016, 3:55 PM
Reviewer
chad
Differential Revision
D15654: Don't require POST to download LFS files from main domain
Parents
rP27104b57c827: Account for raw limits properly in CalendarEventQuery
Branches
Unknown
Tags
Unknown
Tasks
T7789: Support Git Large File Storage
Build Status
Buildable 11589
Build 14483: Run Core Tests

Changes (2)

PathSize
src/
applications/
diffusion/
controller/
files/
controller/

rP37b93f426225

View Options

src/applications/diffusion/controller/DiffusionServeController.php

Loading...
View Options

src/applications/files/controller/PhabricatorFileDataController.php

Loading...
Phabricator ยท Built by Phacility