stable

Clone or download

Read-only

Ownership of the file must be proved before being added to a repository

Currrently once the a file has been uploaded once on the instance all the checks are bypassed and the file can be added to any repository without needing to upload it again. While this save bandwith and save the uploader some time, it also means that a malicious user can get access to any objects available on the instance as soon as it knows the object ID. This is part of story #12322: have git-lfs batch and basic transfer API Change-Id: I8fcb78da8d7f298c6a2d7a2a0eeef94145442379

Modified Files

Name
M plugins/gitlfs/include/LFSObject/LFSObjectPathAllocator.php +4 −4 Go to diff View file
M plugins/gitlfs/include/LFSObject/LFSObjectRetriever.php +8 −0 Go to diff View file
M plugins/gitlfs/include/Transfer/Basic/LFSBasicTransferObjectSaver.php +14 −10 Go to diff View file
M plugins/gitlfs/include/Transfer/Basic/LFSBasicTransferUploadController.php +1 −0 Go to diff View file
M plugins/gitlfs/include/Transfer/LFSTransferVerifier.php +17 −3 Go to diff View file
M plugins/gitlfs/phpunit/LFSObject/LFSObjectRetrieverTest.php +23 −0 Go to diff View file
M plugins/gitlfs/phpunit/Transfer/Basic/LFSBasicTransferObjectSaverTest.php +18 −10 Go to diff View file
M plugins/gitlfs/phpunit/Transfer/LFSTransferVerifierTest.php +23 −0 Go to diff View file