From 0845237efe6cfedbe020a6bf36c839bb2e9b6643 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Wed, 15 Mar 2017 22:27:58 +0000 Subject: [PATCH] Import CSP in manager code (#1137) --- _example/etc/manager-apache2.4.conf | 6 ------ _example/etc/manager-apache2.X.conf | 6 ------ _example/etc/manager-apache2.conf | 6 ------ _example/etc/manager-nginx.conf | 4 ---- .../lib/Lemonldap/NG/Manager.pm | 19 +++++++++++++++++++ .../Lemonldap/NG/Portal/Lib/OtherSessions.pm | 2 +- .../lib/Lemonldap/NG/Portal/Main/Run.pm | 10 +++++----- 7 files changed, 25 insertions(+), 28 deletions(-) diff --git a/_example/etc/manager-apache2.4.conf b/_example/etc/manager-apache2.4.conf index 3070e1c0b..1860e0aad 100644 --- a/_example/etc/manager-apache2.4.conf +++ b/_example/etc/manager-apache2.4.conf @@ -37,12 +37,6 @@ SetHandler fcgid-script Options +ExecCGI - - header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;" - header set X-Content-Type-Options nosniff - header set X-Frame-Options DENY - header set X-XSS-Protection "1; mode=block" - # If you want to use mod_fastcgi, replace lines below by: diff --git a/_example/etc/manager-apache2.X.conf b/_example/etc/manager-apache2.X.conf index 8a0f3a8a1..64df55888 100644 --- a/_example/etc/manager-apache2.X.conf +++ b/_example/etc/manager-apache2.X.conf @@ -37,12 +37,6 @@ SetHandler fcgid-script Options +ExecCGI - - header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;" - header set X-Content-Type-Options nosniff - header set X-Frame-Options DENY - header set X-XSS-Protection "1; mode=block" - # If you want to use mod_fastcgi, replace lines below by: diff --git a/_example/etc/manager-apache2.conf b/_example/etc/manager-apache2.conf index 6575688bd..6823f56f0 100644 --- a/_example/etc/manager-apache2.conf +++ b/_example/etc/manager-apache2.conf @@ -37,12 +37,6 @@ SetHandler fcgid-script Options +ExecCGI - - header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;" - header set X-Content-Type-Options nosniff - header set X-Frame-Options DENY - header set X-XSS-Protection "1; mode=block" - # If you want to use mod_fastcgi, replace lines below by: diff --git a/_example/etc/manager-nginx.conf b/_example/etc/manager-nginx.conf index fc43f0b67..d953f4dfb 100644 --- a/_example/etc/manager-nginx.conf +++ b/_example/etc/manager-nginx.conf @@ -14,10 +14,6 @@ server { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"; - add_header X-Frame-Options DENY; # Uncomment this if you use https only #add_header Strict-Transport-Security "15768000"; } diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm index d2e1a2602..f63a13f66 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm @@ -22,6 +22,8 @@ our $VERSION = '2.0.0'; extends 'Lemonldap::NG::Common::Conf::AccessLib', 'Lemonldap::NG::Handler::PSGI::Router'; +has csp => ( is => 'rw' ); + ## @method boolean init($args) # Launch initialization method # @@ -75,6 +77,12 @@ sub init { $self->addRoute( links => 'links', ['GET'] ); $self->addRoute( 'psgi.js' => 'sendJs', ['GET'] ); + my $portal = $conf->{portal}; + $portal =~ s#htts?://([^/])*.*#$1#; + $self->csp( +"default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' $portal;" + ); + $self->defaultRoute( $working[0]->defaultRoute ); my $linksIcons = @@ -124,6 +132,17 @@ sub javascript { ); } +sub sendHtml { + my ( $self, $req, $template, %args ) = @_; + my $res = $self->SUPER::sendHtml( $req, $template, %args ); + push @{ $res->[1] }, + 'Content-Security-Policy' => $self->csp, + 'X-Content-Type-Options' => 'nosniff', + 'X-Frame-Options' => 'DENY', + 'X-XSS-Protection' => '1; mode=block'; + return $res; +} + 1; __END__ diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm index b9aae7b8b..f57aaabda 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm @@ -45,7 +45,7 @@ sub mkSessionArray { foreach my $session (@$sessions) { $tmp .= ""; $tmp .= "$session->{user}" if ($displayUser); - $tmp .= qq'"; + $tmp .= qq''; $tmp .= "$session->{ipAddr}"; $tmp .= "" . ( $session->{$_} || "" ) . "" foreach ( keys %{ $self->{sessionDataToRemember} } ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm index b25063e66..d25b2add6 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm @@ -674,7 +674,8 @@ sub _dump { sub sendHtml { my ( $self, $req, $template, %args ) = @_; - push @{ $req->respHeaders }, + my $res = $self->SUPER::sendHtml( $req, $template, %args ); + push @{ $res->[1] }, 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff'; @@ -692,7 +693,7 @@ sub sendHtml { # Deny using portal in frame except if it is required unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) { - push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY'; + push @{ $res->[1] }, 'X-Frame-Options' => 'DENY'; $csp .= "frame-ancestors 'none';"; } @@ -707,9 +708,8 @@ sub sendHtml { } # Set CSP header - push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp; - - return $self->SUPER::sendHtml( $req, $template, %args ); + push @{ $res->[1] }, 'Content-Security-Policy' => $csp; + return $res; } sub rebuildCookies {