da1d57b60a
before displaying it Summary: @alok reported a vulnerability where Flash will run carefully-crafted plain text files. When the user requests a raw file, cache it into Files if it isn't already there. Then redirect them to Files. This solves the problem by executing the SWF/TXT with CDN-domain permissions, not content-domain permissions, provided the install is correctly configured. (Followup diff coming to make this more universally true.) NOTE: We'll still show raw data in Diffusion. The barrier to XSS here is much higher (you need commit access) but I'll do something similar there. We aren't vulnerable in Paste, since we already use Files. Test Plan: Clicked "View Old File", "View New File" in an alt-domain configuration, got redirected to a cookie-free domain before being delivered the response. Reviewers: btrahan, alok Reviewed By: btrahan CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1607
Phabricator is a open source collection of web applications which make it easier to write, review, and share source code. Phabricator was developed at Facebook. This is an early release. It's pretty high-quality and usable, but under active development so things may change quickly. You can learn more about the project and find links to documentation and resources at: http://phabricator.org/ LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted. http://www.apache.org/licenses/LICENSE-2.0