Don't require POST to download LFS files from main domain

Summary: Ref T7789. If you don't have `security.alternate-file-domain` configured, we won't serve binary files over GET. This is a security measure intended to prevent `<applet src="..." />` attacks and similar, where you upload some "dangerous" binary, include it in another page, and it gets some of the host's permissions because Java/Flash security models are (or were, in the past) goofy. Allow them to be served over GET if the client is Git LFS. This is safe; these attacks can't add arbitrary HTTP headers. Test Plan: Fetched files over GET with and without the LFS header. ``` $ curl -v http://local.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 302 Redirect ... ``` ``` $ curl -v -H 'X-Phabricator-Request-Type: git-lfs' http://localcontent.phacility.com/file/data/@local/jfht2cxjazi5cmjomfhl/PHID-FILE-sa7mh2pfaocz2adiimeh/netgear_rma.pdf > /dev/null ... HTTP 200 Content ... ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T7789 Differential Revision: https://secure.phabricator.com/D15654
2016-04-07 08:45:56 -07:00
parent 27104b57c8
commit 37b93f4262
2 changed files with 5 additions and 1 deletions
--- a/src/applications/diffusion/controller/DiffusionServeController.php
+++ b/src/applications/diffusion/controller/DiffusionServeController.php
@@ -996,6 +996,7 @@ final class DiffusionServeController extends DiffusionController {
            'href' => $get_uri,
            'header' => array(
              'Authorization' => $no_authorization,
+              'X-Phabricator-Request-Type' => 'git-lfs',
            ),
          );
        } else {