mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add trict CSP to OCS responses 

If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
This commit is contained in:
Roeland Jago Douma 2016-09-15 11:26:24 +02:00
parent 4fdee00c27
commit 7c078a81b4
No known key found for this signature in database
GPG Key ID: 1E152838F164D13B
3 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
View File

@ -37,6 +37,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
use OC\AppFramework\Utility\ControllerMethodReflector; use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\CSP\ContentSecurityPolicyManager; use OC\Security\CSP\ContentSecurityPolicyManager;
use OCP\AppFramework\Http\ContentSecurityPolicy; use OCP\AppFramework\Http\ContentSecurityPolicy;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Middleware; use OCP\AppFramework\Middleware;
@ -182,6 +183,10 @@ class SecurityMiddleware extends Middleware {
public function afterController($controller, $methodName, Response $response) { public function afterController($controller, $methodName, Response $response) {
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy(); $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
return $response;
}
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);

3
lib/private/AppFramework/OCS/BaseResponse.php
View File

@ -23,6 +23,7 @@
namespace OC\AppFramework\OCS; namespace OC\AppFramework\OCS;
use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\Response;
abstract class BaseResponse extends Response { abstract class BaseResponse extends Response {
@ -67,7 +68,7 @@ abstract class BaseResponse extends Response {
$this->setETag($dataResponse->getETag()); $this->setETag($dataResponse->getETag());
$this->setLastModified($dataResponse->getLastModified()); $this->setLastModified($dataResponse->getLastModified());
$this->setCookies($dataResponse->getCookies()); $this->setCookies($dataResponse->getCookies());
$this->setContentSecurityPolicy($dataResponse->getContentSecurityPolicy()); $this->setContentSecurityPolicy(new EmptyContentSecurityPolicy());
if ($format === 'json') { if ($format === 'json') {
$this->addHeader( $this->addHeader(

6
lib/public/AppFramework/Http/Response.php
View File

@ -248,18 +248,18 @@ class Response {
/** /**
* Set a Content-Security-Policy * Set a Content-Security-Policy
* @param ContentSecurityPolicy $csp Policy to set for the response object * @param EmptyContentSecurityPolicy $csp Policy to set for the response object
* @return $this * @return $this
* @since 8.1.0 * @since 8.1.0
*/ */
public function setContentSecurityPolicy(ContentSecurityPolicy $csp) { public function setContentSecurityPolicy(EmptyContentSecurityPolicy $csp) {
$this->contentSecurityPolicy = $csp; $this->contentSecurityPolicy = $csp;
return $this; return $this;
} }
/** /**
* Get the currently used Content-Security-Policy * Get the currently used Content-Security-Policy
* @return ContentSecurityPolicy|null Used Content-Security-Policy or null if * @return EmptyContentSecurityPolicy|null Used Content-Security-Policy or null if
* none specified. * none specified.
* @since 8.1.0 * @since 8.1.0
*/ */