Homestyx hydra
Diffusion hydra 355b753df70c

Prevent file download without POST + CSRF
355b753df70c
Actions

Description

Prevent file download without POST + CSRF

Summary: This prevents <applet /> attacks unless the attacker can upload an
applet which has a viewable MIME type as detected by file. I'm not sure if
this is possible or not. It should, at least, narrow the attack window. There
are no real tradeoffs here, this is probably a strictly better application
behavior regardless of the security issues.
Test Plan:

  • Tried to download a file via GET, got redirected to info.
  • Downloaded a file via POST + CSRF from the info page.

Reviewers: andrewjcg, erling, aran, jungejason, tuomaspelkonen
CC: aran
Differential Revision: 759

Details

Provenance
epriestleyAuthored on Aug 2 2011, 12:01 AM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:3aa17c74436e: Prevent CSRF uploads via /file/dropupload/
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (3)

PathSize
src/
applications/
files/
controller/
list/
view/

R1:355b753df70c

View Options

src/applications/files/controller/list/PhabricatorFileListController.php

Loading...
View Options

src/applications/files/controller/view/PhabricatorFileViewController.php

Loading...
View Options

src/applications/files/controller/view/__init__.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)