From 4436273e3dd3b4b094331d1bcd6c1dba06b61c40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cornelia=20K=C3=B6llmann?= Date: Fri, 9 Dec 2022 16:22:56 +0100 Subject: [PATCH 1/3] T235186: PFSA-2022-013 - Set csp header for file stream --- __root__/PerFact/WebApp/file_d/showfile/__source__.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/__root__/PerFact/WebApp/file_d/showfile/__source__.py b/__root__/PerFact/WebApp/file_d/showfile/__source__.py index dbcefe2e6e1..4c0455af33a 100644 --- a/__root__/PerFact/WebApp/file_d/showfile/__source__.py +++ b/__root__/PerFact/WebApp/file_d/showfile/__source__.py @@ -1,5 +1,13 @@ resp = context.REQUEST.RESPONSE +# Prevent execution of JS that someone may have hidden in an image +# PFSA-2022-013 +if streaming: + resp.setHeader( + "Content-Security-Policy", + "script-src 'self' ;" + ) + if not id: tn = (traverse_subpath[0] == 'tn') txt = traverse_subpath[-1].split('.')[0] -- 2.25.1 From c32b8b82f2ac3d4d076ccd3bbeb60b1c2e5e002a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cornelia=20K=C3=B6llmann?= Date: Mon, 12 Dec 2022 14:03:21 +0100 Subject: [PATCH 2/3] T235186: PFSA-2022-013 - Locally adjust std csp header instead of replacing --- .../PerFact/WebApp/file_d/showfile/__source__.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/__root__/PerFact/WebApp/file_d/showfile/__source__.py b/__root__/PerFact/WebApp/file_d/showfile/__source__.py index 4c0455af33a..0e76a613d0b 100644 --- a/__root__/PerFact/WebApp/file_d/showfile/__source__.py +++ b/__root__/PerFact/WebApp/file_d/showfile/__source__.py @@ -3,9 +3,20 @@ resp = context.REQUEST.RESPONSE # Prevent execution of JS that someone may have hidden in an image # PFSA-2022-013 if streaming: + # Get current csp header and split it into parts + csp_header_global = resp.getHeader('Content-Security-Policy') + prep = csp_header_global.split(";") + csp_new = [] + # Replace the script-src part with a stricter version + for part in prep: + if "script-src" in part: + csp_new.append(" script-src 'self'") + else: + csp_new.append(part) + csp_header_stricter_for_showfile = (";").join(csp_new) resp.setHeader( "Content-Security-Policy", - "script-src 'self' ;" + csp_header_stricter_for_showfile ) if not id: -- 2.25.1 From 002fb807e553ab7aea87f23314adce49ca9fd582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cornelia=20K=C3=B6llmann?= Date: Thu, 15 Dec 2022 15:13:30 +0100 Subject: [PATCH 3/3] T235186: PFSA-2022-013 - Patch for non-streaming mode and inactive apppref, too --- .../WebApp/file_d/showfile/__source__.py | 37 +++++++++++-------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/__root__/PerFact/WebApp/file_d/showfile/__source__.py b/__root__/PerFact/WebApp/file_d/showfile/__source__.py index 0e76a613d0b..0f6a2cf42b0 100644 --- a/__root__/PerFact/WebApp/file_d/showfile/__source__.py +++ b/__root__/PerFact/WebApp/file_d/showfile/__source__.py @@ -2,22 +2,27 @@ resp = context.REQUEST.RESPONSE # Prevent execution of JS that someone may have hidden in an image # PFSA-2022-013 -if streaming: - # Get current csp header and split it into parts - csp_header_global = resp.getHeader('Content-Security-Policy') - prep = csp_header_global.split(";") - csp_new = [] - # Replace the script-src part with a stricter version - for part in prep: - if "script-src" in part: - csp_new.append(" script-src 'self'") - else: - csp_new.append(part) - csp_header_stricter_for_showfile = (";").join(csp_new) - resp.setHeader( - "Content-Security-Policy", - csp_header_stricter_for_showfile - ) +# Get current csp header and split it into parts +csp_header_global = resp.getHeader('Content-Security-Policy') or '' +prep = csp_header_global.split(";") +csp_new = [] + +# Replace the script-src part with a stricter version +for part in prep: + if "script-src" in part: + csp_new.append("script-src 'self'") + else: + csp_new.append(part) + +if not csp_header_global: + # If global csp header is empty (in case of inactive apppref) + csp_new.append(" script-src 'self'") + +csp_header_stricter_for_showfile = (";").join(csp_new) +resp.setHeader( + "Content-Security-Policy", + csp_header_stricter_for_showfile +) if not id: tn = (traverse_subpath[0] == 'tn') -- 2.25.1