aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEl RIDO <[email protected]>2022-03-13 17:24:47 +0100
committerEl RIDO <[email protected]>2022-03-13 18:11:13 +0100
commit6c1f0dde0c4cccd8e132d27842a3cba556648d02 (patch)
treeefb30e4eeb5f75267a79c4a780d8b5bd0d9d04b8
parent18075802264631ecd97f16802e522632e38f3456 (diff)
downloadprivatebin-6c1f0dde0c4cccd8e132d27842a3cba556648d02.tar.gz
privatebin-6c1f0dde0c4cccd8e132d27842a3cba556648d02.tar.bz2
privatebin-6c1f0dde0c4cccd8e132d27842a3cba556648d02.zip
set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
-rw-r--r--CHANGELOG.md1
-rw-r--r--lib/Controller.php11
-rw-r--r--tpl/bootstrap.php1
-rw-r--r--tpl/page.php1
-rw-r--r--tst/ViewTest.php1
5 files changed, 15 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a4ba1cde..ef114663 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
* ADDED: Google Cloud Storage backend support (#795)
* ADDED: Oracle database support (#868)
* ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
+ * ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
* CHANGED: Language selection cookie only transmitted over HTTPS (#472)
* CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
* CHANGED: Removed automatic `.ini` configuration file migration (#808)
diff --git a/lib/Controller.php b/lib/Controller.php
index 56f424c0..34087957 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -364,6 +364,16 @@ class Controller
setcookie('lang', $languageselection, 0, '', '', true);
}
+ // strip policies that are unsupported in meta tag
+ $metacspheader = str_replace(
+ array(
+ 'frame-ancestors \'none\'; ',
+ '; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+ ),
+ '',
+ $this->_conf->getKey('cspheader')
+ );
+
$page = new View;
$page->assign('NAME', $this->_conf->getKey('name'));
$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
@@ -392,6 +402,7 @@ class Controller
$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
+ $page->assign('CSPHEADER', $metacspheader);
$page->draw($this->_conf->getKey('template'));
}
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 0808fff6..1fc8feb2 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -7,6 +7,7 @@ $isPage = substr($template, -5) === '-page';
<html lang="<?php echo I18n::_('en'); ?>">
<head>
<meta charset="utf-8" />
+ <meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" />
diff --git a/tpl/page.php b/tpl/page.php
index b8c83805..74254c8e 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -4,6 +4,7 @@ use PrivateBin\I18n;
<html lang="<?php echo I18n::_('en'); ?>">
<head>
<meta charset="utf-8" />
+ <meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
<meta name="robots" content="noindex" />
<meta name="google" content="notranslate">
<title><?php echo I18n::_($NAME); ?></title>
diff --git a/tst/ViewTest.php b/tst/ViewTest.php
index c729b4ef..1e4d9374 100644
--- a/tst/ViewTest.php
+++ b/tst/ViewTest.php
@@ -60,6 +60,7 @@ class ViewTest extends PHPUnit_Framework_TestCase
$page->assign('HTTPWARNING', true);
$page->assign('HTTPSLINK', 'https://example.com/');
$page->assign('COMPRESSION', 'zlib');
+ $page->assign('CSPHEADER', 'default-src \'none\'');
$dir = dir(PATH . 'tpl');
while (false !== ($file = $dir->read())) {