Provide a setting which forces all file views to be served from an alternate

domain Summary: See D758, D759. - Provide a strongly recommended setting which permits configuration of an alternate domain. - Lock cookies down better: set them on the exact domain, and use SSL-only if the configuration is HTTPS. - Prevent Phabriator from setting cookies on other domains. This assumes D759 will land, it is not effective without that change. Test Plan: - Attempted to login from a different domain and was rejected. - Logged out, logged back in normally. - Put install in setup mode and verified it revealed a warning. - Configured an alterate domain. - Tried to view an image with an old URI, got a 400. - Went to /files/ and verified links rendered to the alternate domain. - Viewed an alternate domain file. - Tried to view an alternate domain file without the secret key, got a 404. Reviewers: andrewjcg, erling, aran, tuomaspelkonen, jungejason, codeblock CC: aran Differential Revision: 760
2011-08-01 22:24:00 -07:00
parent 355b753df7
commit 68c30e1a71
15 changed files with 224 additions and 7 deletions
--- a/src/aphront/default/configuration/AphrontDefaultApplicationConfiguration.php
+++ b/src/aphront/default/configuration/AphrontDefaultApplicationConfiguration.php
@@ -56,6 +56,7 @@ class AphrontDefaultApplicationConfiguration
        '(?P<view>info)/(?P<phid>[^/]+)/' => 'PhabricatorFileViewController',
        '(?P<view>view)/(?P<phid>[^/]+)/' => 'PhabricatorFileViewController',
        '(?P<view>download)/(?P<phid>[^/]+)/' => 'PhabricatorFileViewController',
+        'alt/(?<key>[^/]+)/(?<phid>[^/]+)/' => 'PhabricatorFileAltViewController',
        'macro/' => array(
          '$' => 'PhabricatorFileMacroListController',
          'edit/(?:(?P<id>\d+)/)?$' => 'PhabricatorFileMacroEditController',