Prevent file download without POST + CSRF

Summary: This prevents <applet /> attacks unless the attacker can upload an
applet which has a viewable MIME type as detected by `file`. I'm not sure if
this is possible or not. It should, at least, narrow the attack window. There
are no real tradeoffs here, this is probably a strictly better application
behavior regardless of the security issues.
Test Plan:
  - Tried to download a file via GET, got redirected to info.
  - Downloaded a file via POST + CSRF from the info page.

Reviewers: andrewjcg, erling, aran, jungejason, tuomaspelkonen
CC: aran
Differential Revision: 759

src/applications/files/controller/view/PhabricatorFileViewController.php

@@ -55,6 +55,16 @@ class PhabricatorFileViewController extends PhabricatorFileController {
           $download = true;
         }
 
+        if ($download) {
+          if (!$request->isFormPost()) {
+            // Require a POST to download files to hinder attacks where you
+            // <applet src="http://phabricator.example.com/file/..." /> on some
+            // other domain.
+            return id(new AphrontRedirectResponse())
+              ->setURI($file->getInfoURI());
+          }
+        }
+
         if ($download) {
           $mime_type = $file->getMimeType();
         } else {