Home GnuPG

Only require POST to fetch file data if the viewer is logged in
2896da384cb7Unpublished

Unpublished Commit ยท Learn More

Repository Importing: This repository is still importing.

Description

Only require POST to fetch file data if the viewer is logged in

Summary:
Ref T11357. In D17611, I added file.search, which includes a "dataURI". Partly, this is building toward resolving T8348.

However, in some cases you can't GET this URI because of a security measure:

  • You have not configured security.alternate-file-domain.
  • The file isn't web-viewable.
  • (The request isn't an LFS request.)

The goal of this security mechanism is just to protect against session hijacking, so it's also safe to disable it if the viewer didn't present any credentials (since that means there's nothing to hijack). Add that exception, and reorganize the code a little bit.

Test Plan:

  • From the browser (with a session), tried to GET a binary data file. Got redirected.
  • Got a download with POST.
  • From the CLI (without a session), tried to GET a binary data file. Go a download.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11357

Differential Revision: https://secure.phabricator.com/D17613

Details

Provenance
epriestley <git@epriestley.com>Authored on Apr 4 2017, 6:06 PM
Parents
rPHAB2369fa38e187: Provide a modern ("v3") API for querying files ("file.search")
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHAB2896da384cb7: Only require POST to fetch file data if the viewer is logged in (authored by epriestley <git@epriestley.com>).Apr 5 2017, 1:16 AM