diff options
author | Dylan William Hardison <dylan@hardison.net> | 2018-04-08 01:20:00 +0200 |
---|---|---|
committer | Dylan William Hardison <dylan@hardison.net> | 2018-06-28 22:41:55 +0200 |
commit | 541e2b41af8cc44ad3eb0638618bc457c666d612 (patch) | |
tree | 121866bb37e4b06ffd7320679772d77271158661 /Bugzilla/CGI | |
parent | cdc26a69674ea7a3413efce2f8d4e3225c6ab76e (diff) | |
download | bugzilla-541e2b41af8cc44ad3eb0638618bc457c666d612.tar.gz bugzilla-541e2b41af8cc44ad3eb0638618bc457c666d612.tar.xz |
a bit of a quantum leap
It's now possible to load the CGIs into a mojolicious controller.
Compatibility isn't 100% yet, but it should give a migration path
for any random CGI to become a proper controller.
Diffstat (limited to 'Bugzilla/CGI')
-rw-r--r-- | Bugzilla/CGI/ContentSecurityPolicyAttr.pm | 71 | ||||
-rw-r--r-- | Bugzilla/CGI/Mojo.pm | 57 |
2 files changed, 71 insertions, 57 deletions
diff --git a/Bugzilla/CGI/ContentSecurityPolicyAttr.pm b/Bugzilla/CGI/ContentSecurityPolicyAttr.pm new file mode 100644 index 000000000..c94b3815c --- /dev/null +++ b/Bugzilla/CGI/ContentSecurityPolicyAttr.pm @@ -0,0 +1,71 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This Source Code Form is "Incompatible With Secondary Licenses", as +# defined by the Mozilla Public License, v. 2.0. + +package Bugzilla::CGI::ContentSecurityPolicyAttr; +use 5.10.1; +use strict; +use warnings; +use Role::Tiny; + +requires 'csp_object', 'set_csp_object'; + +sub DEFAULT_CSP { + my %policy = ( + default_src => [ 'self' ], + script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ], + frame_src => [ 'none', ], + worker_src => [ 'none', ], + img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ], + style_src => [ 'self', 'unsafe-inline' ], + object_src => [ 'none' ], + connect_src => [ + 'self', + # This is from extensions/OrangeFactor/web/js/orange_factor.js + 'https://treeherder.mozilla.org/api/failurecount/', + ], + form_action => [ + 'self', + # used in template/en/default/search/search-google.html.tmpl + 'https://www.google.com/search' + ], + frame_ancestors => [ 'none' ], + report_only => 1, + ); + if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) { + push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login'; + } + + return %policy; +} + +sub content_security_policy { + my ($self, %add_params) = @_; + if (%add_params || !$self->csp_object) { + my %params = DEFAULT_CSP; + delete $params{report_only} if %add_params && !$add_params{report_only}; + foreach my $key (keys %add_params) { + if (defined $add_params{$key}) { + $params{$key} = $add_params{$key}; + } + else { + delete $params{$key}; + } + } + $self->set_csp_object( Bugzilla::CGI::ContentSecurityPolicy->new(%params) ); + } + + return $self->csp_object; +} + +sub csp_nonce { + my ($self) = @_; + + my $csp = $self->content_security_policy; + return $csp->has_nonce ? $csp->nonce : ''; +} + +1; diff --git a/Bugzilla/CGI/Mojo.pm b/Bugzilla/CGI/Mojo.pm deleted file mode 100644 index 2d4f40d3e..000000000 --- a/Bugzilla/CGI/Mojo.pm +++ /dev/null @@ -1,57 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# This Source Code Form is "Incompatible With Secondary Licenses", as -# defined by the Mozilla Public License, v. 2.0. - -package Bugzilla::CGI::Mojo; -use 5.10.1; -use Moo; - -has 'controller' => ( - is => 'ro', - handles => [qw(param cookie)], -); - -has 'content_security_policy' => ( - is => 'lazy', -); - -sub _build_content_security_policy { - my ($self) = @_; - my $csp = $self->controller->stash->{content_security_policy} // { Bugzilla::CGI::DEFAULT_CSP() }; - return Bugzilla::CGI::ContentSecurityPolicy->new( $csp ); -} - -sub csp_nonce { - my ($self) = @_; - - my $csp = $self->content_security_policy; - return $csp->has_nonce ? $csp->nonce : ''; -} - -sub script_name { - my ($self) = @_; - - return $self->controller->req->env->{SCRIPT_NAME}; -} - -sub http { - my ($self, $header) = @_; - return $self->controller->req->headers->header($header); -} - -sub redirect { - my ($self, $location) = @_; - - $self->controller->redirect_to($location); -} - -sub Vars { - my ($self) = @_; - - return $self->controller->req->query_params->to_hash; -} - -1; |