Use a proper entropy source to generate file keys
0669abc5f0e1
Actions

Authored by epriestley <git@epriestley.com> on Oct 23 2011, 22:50.

Description

Use a proper entropy source to generate file keys

Summary:
See T549. Under configurations where files are served from an alternate domain
which does not have cookie credentials, we use random keys to prevent browsing,
similar to how Facebook relies on pseudorandom information in image URIs (we
could some day go farther than this and generate file sessions on the alternate
domain or something, I guess).

Currently, we generate these random keys in a roundabout manner. Instead, use a
real entropy source and store the key on the object. This reduces the number of
sha1() calls in the codebase as per T547.

Test Plan: Ran upgrade scripts, verified database was populated correctly.
Configured alternate file domain, uploaded file, verified secret generated and
worked properly. Changed secret, was given 404.

Reviewers: jungejason, benmathews, nh, tuomaspelkonen, aran

Reviewed By: aran

CC: aran, epriestley

Differential Revision: 1036

Details

Committed

epriestley <git@epriestley.com>

Oct 23 2011, 23:42

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPHddce177d8157: Add a name token table so on-demand typeaheads can match last names

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH0669abc5f0e1: Use a proper entropy source to generate file keys (authored by epriestley <git@epriestley.com>).Oct 23 2011, 23:42

Changes (5)

				Path
	M			conf/default.conf.php
	A			resources/sql/patches/080.filekeys.sql
	P			resources/sql/patches/081.filekeys.php Copied from resources/sql/patches/079.nametokenindex.php
	M			src/applications/files/controller/altview/PhabricatorFileAltViewController.php
	M			src/applications/files/storage/file/PhabricatorFile.php