summaryrefslogtreecommitdiffstats
path: root/Bugzilla/CGI
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2018-04-08 01:20:00 +0200
committerDylan William Hardison <dylan@hardison.net>2018-06-28 22:41:55 +0200
commit541e2b41af8cc44ad3eb0638618bc457c666d612 (patch)
tree121866bb37e4b06ffd7320679772d77271158661 /Bugzilla/CGI
parentcdc26a69674ea7a3413efce2f8d4e3225c6ab76e (diff)
downloadbugzilla-541e2b41af8cc44ad3eb0638618bc457c666d612.tar.gz
bugzilla-541e2b41af8cc44ad3eb0638618bc457c666d612.tar.xz
a bit of a quantum leap
It's now possible to load the CGIs into a mojolicious controller. Compatibility isn't 100% yet, but it should give a migration path for any random CGI to become a proper controller.
Diffstat (limited to 'Bugzilla/CGI')
-rw-r--r--Bugzilla/CGI/ContentSecurityPolicyAttr.pm71
-rw-r--r--Bugzilla/CGI/Mojo.pm57
2 files changed, 71 insertions, 57 deletions
diff --git a/Bugzilla/CGI/ContentSecurityPolicyAttr.pm b/Bugzilla/CGI/ContentSecurityPolicyAttr.pm
new file mode 100644
index 000000000..c94b3815c
--- /dev/null
+++ b/Bugzilla/CGI/ContentSecurityPolicyAttr.pm
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This Source Code Form is "Incompatible With Secondary Licenses", as
+# defined by the Mozilla Public License, v. 2.0.
+
+package Bugzilla::CGI::ContentSecurityPolicyAttr;
+use 5.10.1;
+use strict;
+use warnings;
+use Role::Tiny;
+
+requires 'csp_object', 'set_csp_object';
+
+sub DEFAULT_CSP {
+ my %policy = (
+ default_src => [ 'self' ],
+ script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ],
+ frame_src => [ 'none', ],
+ worker_src => [ 'none', ],
+ img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
+ style_src => [ 'self', 'unsafe-inline' ],
+ object_src => [ 'none' ],
+ connect_src => [
+ 'self',
+ # This is from extensions/OrangeFactor/web/js/orange_factor.js
+ 'https://treeherder.mozilla.org/api/failurecount/',
+ ],
+ form_action => [
+ 'self',
+ # used in template/en/default/search/search-google.html.tmpl
+ 'https://www.google.com/search'
+ ],
+ frame_ancestors => [ 'none' ],
+ report_only => 1,
+ );
+ if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) {
+ push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login';
+ }
+
+ return %policy;
+}
+
+sub content_security_policy {
+ my ($self, %add_params) = @_;
+ if (%add_params || !$self->csp_object) {
+ my %params = DEFAULT_CSP;
+ delete $params{report_only} if %add_params && !$add_params{report_only};
+ foreach my $key (keys %add_params) {
+ if (defined $add_params{$key}) {
+ $params{$key} = $add_params{$key};
+ }
+ else {
+ delete $params{$key};
+ }
+ }
+ $self->set_csp_object( Bugzilla::CGI::ContentSecurityPolicy->new(%params) );
+ }
+
+ return $self->csp_object;
+}
+
+sub csp_nonce {
+ my ($self) = @_;
+
+ my $csp = $self->content_security_policy;
+ return $csp->has_nonce ? $csp->nonce : '';
+}
+
+1;
diff --git a/Bugzilla/CGI/Mojo.pm b/Bugzilla/CGI/Mojo.pm
deleted file mode 100644
index 2d4f40d3e..000000000
--- a/Bugzilla/CGI/Mojo.pm
+++ /dev/null
@@ -1,57 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# This Source Code Form is "Incompatible With Secondary Licenses", as
-# defined by the Mozilla Public License, v. 2.0.
-
-package Bugzilla::CGI::Mojo;
-use 5.10.1;
-use Moo;
-
-has 'controller' => (
- is => 'ro',
- handles => [qw(param cookie)],
-);
-
-has 'content_security_policy' => (
- is => 'lazy',
-);
-
-sub _build_content_security_policy {
- my ($self) = @_;
- my $csp = $self->controller->stash->{content_security_policy} // { Bugzilla::CGI::DEFAULT_CSP() };
- return Bugzilla::CGI::ContentSecurityPolicy->new( $csp );
-}
-
-sub csp_nonce {
- my ($self) = @_;
-
- my $csp = $self->content_security_policy;
- return $csp->has_nonce ? $csp->nonce : '';
-}
-
-sub script_name {
- my ($self) = @_;
-
- return $self->controller->req->env->{SCRIPT_NAME};
-}
-
-sub http {
- my ($self, $header) = @_;
- return $self->controller->req->headers->header($header);
-}
-
-sub redirect {
- my ($self, $location) = @_;
-
- $self->controller->redirect_to($location);
-}
-
-sub Vars {
- my ($self) = @_;
-
- return $self->controller->req->query_params->to_hash;
-}
-
-1;