[ARVADOS] updated: 83f613777343c12cc1e76209f4f509895b3a941b

git at public.curoverse.com git at public.curoverse.com
Mon Jan 18 15:34:38 EST 2016 

Summary of changes:
 apps/workbench/app/controllers/collections_controller.rb |  5 +----
 apps/workbench/config/application.default.yml            | 16 ++++++++++++----
 .../test/controllers/collections_controller_test.rb      |  2 +-
 3 files changed, 14 insertions(+), 9 deletions(-)

       via  83f613777343c12cc1e76209f4f509895b3a941b (commit)
      from  57155061189f477aa8c99797a56fda39dc67153e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 83f613777343c12cc1e76209f4f509895b3a941b
Author: Tom Clegg <tom at curoverse.com>
Date:   Mon Jan 18 15:34:14 2016 -0500

    8177: Expand trust_all_content comments.
    
    Skip whole check_uri block when trust_all_content.
    
    Fix test name.

diff --git a/apps/workbench/app/controllers/collections_controller.rb b/apps/workbench/app/controllers/collections_controller.rb
index 63af828..58ff692 100644
--- a/apps/workbench/app/controllers/collections_controller.rb
+++ b/apps/workbench/app/controllers/collections_controller.rb
@@ -339,7 +339,7 @@ class CollectionsController < ApplicationController
       # Prefer the attachment-only-host when we want an attachment
       # (and when there is no preview link configured)
       tmpl = Rails.configuration.keep_web_download_url
-    else
+    elsif not Rails.configuration.trust_all_content
       check_uri = URI.parse(tmpl % fmt)
       if opts[:query_token] and
           not check_uri.host.start_with?(munged_id + "--") and
@@ -347,9 +347,6 @@ class CollectionsController < ApplicationController
         # We're about to pass a token in the query string, but
         # keep-web can't accept that safely at a single-origin URL
         # template (unless it's -attachment-only-host).
-        unless (Rails.configuration.trust_all_content and tmpl)
-          tmpl = Rails.configuration.keep_web_download_url
-        end
         if not tmpl
           raise ArgumentError, "Download precluded by site configuration"
         end
diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index 7e8c3aa..239ffcd 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -258,9 +258,17 @@ common:
   # keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
   keep_web_download_url: false
 
-  # In "trust all content" mode, Workbench will redirect users to
-  # keep-web even when that exposes XSS vulnerabilities.
+  # In "trust all content" mode, Workbench will redirect download
+  # requests to keep-web, even in the cases when keep-web would have
+  # to expose XSS vulnerabilities in order to handle the redirect.
   #
-  # When enabling this setting, the corresponding setting on the
-  # keep-web server must also be enabled.
+  # When enabling this setting, the -trust-all-content flag on the
+  # keep-web server must also be enabled.  For more detail, see
+  # https://godoc.org/github.com/curoverse/arvados/services/keep-web
+  #
+  # This setting has no effect in the recommended configuration, where
+  # the host part of keep_web_url begins with %{uuid_or_pdh}: in this
+  # case XSS protection is provided by browsers' same-origin policy.
+  #
+  # The default setting (false) is appropriate for a multi-user site.
   trust_all_content: false
diff --git a/apps/workbench/test/controllers/collections_controller_test.rb b/apps/workbench/test/controllers/collections_controller_test.rb
index 0cd747e..45aab3c 100644
--- a/apps/workbench/test/controllers/collections_controller_test.rb
+++ b/apps/workbench/test/controllers/collections_controller_test.rb
@@ -578,7 +578,7 @@ class CollectionsControllerTest < ActionController::TestCase
       assert_equal "https://download.example/c=#{id.sub '+', '-'}/_/w%20a%20z?api_token=#{tok}", @response.redirect_url
     end
 
-    test "Redirect to keep_web_download_url via #{id_type} when trust_all_content enabled" do
+    test "Redirect to keep_web_url via #{id_type} when trust_all_content enabled" do
       Rails.configuration.trust_all_content = true
       setup_for_keep_web('https://collections.example/c=%{uuid_or_pdh}',
                          'https://download.example/c=%{uuid_or_pdh}')

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list