Don't trust update server
In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff. While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
This commit is contained in:
parent
d305412a35
commit
f3e9106864
|
@ -4,7 +4,7 @@
|
||||||
<!--[if (gt IE 9)|!(IE)]><!--><html class="ng-csp" data-placeholder-focus="false" lang="<?php p($_['language']); ?>" ><!--<![endif]-->
|
<!--[if (gt IE 9)|!(IE)]><!--><html class="ng-csp" data-placeholder-focus="false" lang="<?php p($_['language']); ?>" ><!--<![endif]-->
|
||||||
<head data-user="<?php p($_['user_uid']); ?>" data-requesttoken="<?php p($_['requesttoken']); ?>"
|
<head data-user="<?php p($_['user_uid']); ?>" data-requesttoken="<?php p($_['requesttoken']); ?>"
|
||||||
<?php if ($_['updateAvailable']): ?>
|
<?php if ($_['updateAvailable']): ?>
|
||||||
data-update-version="<?php print($_['updateVersion']); ?>" data-update-link="<?php print_unescaped($_['updateLink']); ?>"
|
data-update-version="<?php p($_['updateVersion']); ?>" data-update-link="<?php p($_['updateLink']); ?>"
|
||||||
<?php endif; ?>
|
<?php endif; ?>
|
||||||
>
|
>
|
||||||
<meta charset="utf-8">
|
<meta charset="utf-8">
|
||||||
|
|
|
@ -85,7 +85,9 @@ class OC_TemplateLayout extends OC_Template {
|
||||||
if(isset($data['version']) && $data['version'] != '' and $data['version'] !== Array()) {
|
if(isset($data['version']) && $data['version'] != '' and $data['version'] !== Array()) {
|
||||||
$this->assign('updateAvailable', true);
|
$this->assign('updateAvailable', true);
|
||||||
$this->assign('updateVersion', $data['versionstring']);
|
$this->assign('updateVersion', $data['versionstring']);
|
||||||
$this->assign('updateLink', $data['web']);
|
if(substr($data['web'], 0, 8) === 'https://') {
|
||||||
|
$this->assign('updateLink', $data['web']);
|
||||||
|
}
|
||||||
\OCP\Util::addScript('core', 'update-notification');
|
\OCP\Util::addScript('core', 'update-notification');
|
||||||
} else {
|
} else {
|
||||||
$this->assign('updateAvailable', false); // No update available or not an admin user
|
$this->assign('updateAvailable', false); // No update available or not an admin user
|
||||||
|
|
Loading…
Reference in New Issue