Merge pull request #16380 from Dreamsorcerer/patch-1
Allow use of server var for CSP nonce
This commit is contained in:
Roeland Jago Douma
GitHub
commit
057e88e9e7
|
|
@ -58,7 +58,11 @@ class ContentSecurityPolicyNonceManager {
|
|||
*/
|
||||
public function getNonce(): string {
|
||||
if($this->nonce === '') {
|
||||
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
|
||||
if (empty($this->request->server['CSP_NONCE'])) {
|
||||
$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
|
||||
} else {
|
||||
$this->nonce = $this->request->server['CSP_NONCE'];
|
||||
}
|
||||
}
|
||||
|
||||
return $this->nonce;
|
||||
|
|
|
|||
|
|
@ -21,23 +21,26 @@
|
|||
|
||||
namespace Test\Security\CSP;
|
||||
|
||||
use OC\AppFramework\Http\Request;
|
||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||
use OC\Security\CSRF\CsrfToken;
|
||||
use OC\Security\CSRF\CsrfTokenManager;
|
||||
use OCP\IRequest;
|
||||
use Test\TestCase;
|
||||
|
||||
class ContentSecurityPolicyNonceManagerTest extends TestCase {
|
||||
/** @var CsrfTokenManager */
|
||||
private $csrfTokenManager;
|
||||
/** @var Request */
|
||||
private $request;
|
||||
/** @var ContentSecurityPolicyNonceManager */
|
||||
private $nonceManager;
|
||||
|
||||
public function setUp() {
|
||||
$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
|
||||
$this->request = $this->createMock(Request::class);
|
||||
$this->nonceManager = new ContentSecurityPolicyNonceManager(
|
||||
$this->csrfTokenManager,
|
||||
$this->createMock(IRequest::class)
|
||||
$this->request
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -56,4 +59,20 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase {
|
|||
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
||||
$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
|
||||
}
|
||||
|
||||
public function testGetNonceServerVar() {
|
||||
$token = 'SERVERNONCE';
|
||||
$this->request
|
||||
->method('__isset')
|
||||
->with('server')
|
||||
->willReturn(true);
|
||||
|
||||
$this->request
|
||||
->method('__get')
|
||||
->with('server')
|
||||
->willReturn(['CSP_NONCE' => $token]);
|
||||
|
||||
$this->assertSame($token, $this->nonceManager->getNonce());
|
||||
$this->assertSame($token, $this->nonceManager->getNonce());
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue