Page MenuHomePhorge
Differential D25464

Enforce viewable MIME types config on PDF documents
ClosedPublic
Actions

Authored by l2dy on Nov 11 2023, 08:13.

Details

Reviewers
speck
Group Reviewers
O1: Blessed Committers
Commits
rP16d9cc12af45: Enforce viewable MIME types config on PDF documents
Summary

Let instance admins decide whether to allow PDFs to be viewable as a Web page. See https://github.com/mozilla-conduit/phabricator/commit/5ec132bf9ebfb90558f1b7f646772176629f86d0.

MOZILLA: Instead of always allowing PDFs to be viewable in the web UI, [...]
This checks that the PDF mimetype is viewable according to the system
configuration.

Ref Q83.

Test Plan
  1. Set files.viewable-mime-types to exclude application/pdf.
  2. Upload a pdf file.
  3. See "No document engine can render the contents of this file." in web UI.

Diff Detail

Repository
rP Phorge
Branch
security/respect-viewable-mime
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 906
Build 906: arc lint + arc unit

Event Timeline

l2dy created this revision.Nov 11 2023, 08:13
Owners added a reviewer: O1: Blessed Committers.Nov 11 2023, 08:13
Herald added subscribers: Cigaryno, Matthew, valerio.bozzolan, tobiaswiese. · View Herald TranscriptNov 11 2023, 08:13
l2dy requested review of this revision.Nov 11 2023, 08:13
Harbormaster completed remote builds in B906: Diff 1473.Nov 11 2023, 08:13
l2dy mentioned this in Q83: Pull security fixes from Mozilla's fork.Nov 11 2023, 08:13
l2dy mentioned this in Q83: Pull security fixes from Mozilla's fork (Answer 108).Nov 11 2023, 08:25
l2dy updated this revision to Diff 1474.Nov 11 2023, 10:45

Update config description

Harbormaster completed remote builds in B907: Diff 1474.Nov 11 2023, 10:45
speck subscribed.Nov 11 2023, 15:51

The Referenced Files section of this diff looks like someone is looking for a vulnerability. Any idea what’s happening here?

l2dy added a comment.Nov 11 2023, 23:18
In D25464#13328, @speck wrote:

The Referenced Files section of this diff looks like someone is looking for a vulnerability. Any idea what’s happening here?

That's a different issue unrelated to this patch. Let's track it in T15665.

l2dy edited the summary of this revision. (Show Details)Nov 12 2023, 06:13
l2dy edited the summary of this revision. (Show Details)Nov 12 2023, 07:08
speck added a comment.Nov 12 2023, 15:23

This will require documentation of some sort, specifically for the upgrade notes to indicate that if someone relies on rendering PDFs currently then after upgrading they would need to update that configuration.

I think making a task to document the issue and linking in the release notes would be a good approach and what upstream would typically have done.

src/applications/files/config/PhabricatorFilesConfigOptions.php
140 ↗(On Diff #1474)

Linking to the task here might also be a good idea.

l2dy added a comment.Nov 12 2023, 15:40
In D25464#13372, @speck wrote:

This will require documentation of some sort, specifically for the upgrade notes to indicate that if someone relies on rendering PDFs currently then after upgrading they would need to update that configuration.

I think making a task to document the issue and linking in the release notes would be a good approach and what upstream would typically have done.

This change is a defense-in-depth and opt-in only measure. I intentionally did not modify the default files.viewable-mime-types, which still includes application/pdf, so that it is not a breaking change.

Unless there is proof of successful exploit, which may have been demonstrated in Mozilla's private bug tracker that I don't have access to, I'm still doubtful whether video, audio and PDF files viewed inline could introduce a XSS vulnerability. I did not add the Security tag because of this.

speck accepted this revision.Nov 12 2023, 15:49

Okay I misunderstood the default value. I don’t think a security tag is necessary either.

Accepting - only discussion on phrasing but functional change looks good

src/applications/files/config/PhabricatorFilesConfigOptions.php
140 ↗(On Diff #1474)

Instead of “some types are vulnerable” what do you think of “some types may be vulnerable XSS exploits when rendered by the browser”?

This revision is now accepted and ready to land.Nov 12 2023, 15:49
l2dy added inline comments.Nov 12 2023, 15:51
src/applications/files/config/PhabricatorFilesConfigOptions.php
140 ↗(On Diff #1474)

text/html is apparently vulnerable to XSS attacks, but it's not included in $viewable_default, so we are safe from that.

In conclusion, there isn't sufficient proof yet to disable certain MIME types in $viewable_default, and I could not make a task with incomplete (maybe even incorrect) information.

I hope Mozilla's engineers could chime in and help, but before that we could land this as an opt-in configuration.

l2dy updated this revision to Diff 1485.Nov 12 2023, 15:57

Phrasing

Harbormaster completed remote builds in B915: Diff 1485.Nov 12 2023, 15:57
l2dy marked an inline comment as done.Nov 12 2023, 16:00
l2dy added inline comments.
src/applications/files/config/PhabricatorFilesConfigOptions.php
140 ↗(On Diff #1474)

Thanks for your advice. To be consistent with "viewed directly in the browser" in the first sentence, I rephrased it a bit differently, but it's definitely clearer than before.

l2dy marked an inline comment as done.Nov 12 2023, 16:02
Closed by commit rP16d9cc12af45: Enforce viewable MIME types config on PDF documents. · Explain WhyNov 12 2023, 16:13
This revision was automatically updated to reflect the committed changes.
l2dy added a commit: rP16d9cc12af45: Enforce viewable MIME types config on PDF documents.

Revision Contents
Changeset List

PathSizePackages
src/
applications/
files/
document/
16 linesO1: Blessed Committers

Diff 1473

View Options

src/applications/files/document/PhabricatorPDFDocumentEngine.php

Loading...
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0