summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2018-05-21 17:42:29 +0200
committerDylan William Hardison <dylan@hardison.net>2018-06-28 22:41:56 +0200
commit15661bf793105352c3cf0d84d6c7e790be838a78 (patch)
tree59ccbd228b2b64658642649b71ce340c64c3d14d /Bugzilla
parent3517d8a6687cd37cb8c9009a78f16071d652254a (diff)
downloadbugzilla-15661bf793105352c3cf0d84d6c7e790be838a78.tar.gz
bugzilla-15661bf793105352c3cf0d84d6c7e790be838a78.tar.xz
revert some bad ideas
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/CGI.pm57
-rw-r--r--Bugzilla/CGI/Role.pm84
2 files changed, 48 insertions, 93 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 2dedbc5f3..495cb4769 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -24,10 +24,6 @@ use Bugzilla::Search::Recent;
use File::Basename;
use URI;
-use Role::Tiny::With;
-
-with 'Bugzilla::CGI::Role';
-
BEGIN {
if (ON_WINDOWS) {
# Help CGI find the correct temp directory as the default list
@@ -37,6 +33,35 @@ BEGIN {
*AUTOLOAD = \&CGI::AUTOLOAD;
}
+sub DEFAULT_CSP {
+ my %policy = (
+ default_src => [ 'self' ],
+ script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ],
+ frame_src => [ 'none', ],
+ worker_src => [ 'none', ],
+ img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
+ style_src => [ 'self', 'unsafe-inline' ],
+ object_src => [ 'none' ],
+ connect_src => [
+ 'self',
+ # This is from extensions/OrangeFactor/web/js/orange_factor.js
+ 'https://treeherder.mozilla.org/api/failurecount/',
+ ],
+ form_action => [
+ 'self',
+ # used in template/en/default/search/search-google.html.tmpl
+ 'https://www.google.com/search'
+ ],
+ frame_ancestors => [ 'none' ],
+ report_only => 1,
+ );
+ if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) {
+ push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login';
+ }
+
+ return %policy;
+}
+
# Because show_bug code lives in many different .cgi files,
# we needed a centralized place to define the policy.
# normally the policy would just live in one .cgi file.
@@ -168,16 +193,30 @@ sub target_uri {
}
}
-sub set_csp_object {
- my ( $self, $object ) = @_;
+sub content_security_policy {
+ my ($self, %add_params) = @_;
+ if (%add_params || !$self->{Bugzilla_csp}) {
+ my %params = DEFAULT_CSP;
+ delete $params{report_only} if %add_params && !$add_params{report_only};
+ foreach my $key (keys %add_params) {
+ if (defined $add_params{$key}) {
+ $params{$key} = $add_params{$key};
+ }
+ else {
+ delete $params{$key};
+ }
+ }
+ $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params);
+ }
- $self->{Bugzilla_csp} = $object;
+ return $self->{Bugzilla_csp};
}
-sub csp_object {
+sub csp_nonce {
my ($self) = @_;
- return $self->{Bugzilla_csp};
+ my $csp = $self->content_security_policy;
+ return $csp->has_nonce ? $csp->nonce : '';
}
# We want this sorted plus the ability to exclude certain params
diff --git a/Bugzilla/CGI/Role.pm b/Bugzilla/CGI/Role.pm
deleted file mode 100644
index 33807eb7e..000000000
--- a/Bugzilla/CGI/Role.pm
+++ /dev/null
@@ -1,84 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# This Source Code Form is "Incompatible With Secondary Licenses", as
-# defined by the Mozilla Public License, v. 2.0.
-
-package Bugzilla::CGI::Role;
-use 5.10.1;
-use strict;
-use warnings;
-use Role::Tiny;
-
-requires 'csp_object', 'set_csp_object';
-
-sub DEFAULT_CSP {
- my %policy = (
- default_src => [ 'self' ],
- script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ],
- frame_src => [ 'none', ],
- worker_src => [ 'none', ],
- img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
- style_src => [ 'self', 'unsafe-inline' ],
- object_src => [ 'none' ],
- connect_src => [
- 'self',
- # This is from extensions/OrangeFactor/web/js/orange_factor.js
- 'https://treeherder.mozilla.org/api/failurecount/',
- ],
- form_action => [
- 'self',
- # used in template/en/default/search/search-google.html.tmpl
- 'https://www.google.com/search'
- ],
- frame_ancestors => [ 'none' ],
- report_only => 1,
- );
- if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) {
- push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login';
- }
-
- return %policy;
-}
-
-sub content_security_policy {
- my ($self, %add_params) = @_;
- if (%add_params || !$self->csp_object) {
- my %params = DEFAULT_CSP;
- delete $params{report_only} if %add_params && !$add_params{report_only};
- foreach my $key (keys %add_params) {
- if (defined $add_params{$key}) {
- $params{$key} = $add_params{$key};
- }
- else {
- delete $params{$key};
- }
- }
- $self->set_csp_object( Bugzilla::CGI::ContentSecurityPolicy->new(%params) );
- }
-
- return $self->csp_object;
-}
-
-sub csp_nonce {
- my ($self) = @_;
-
- my $csp = $self->content_security_policy;
- return $csp->has_nonce ? $csp->nonce : '';
-}
-
-# Cookies are removed by setting an expiry date in the past.
-# This method is a send_cookie wrapper doing exactly this.
-sub remove_cookie {
- my ($self, $name) = @_;
-
- # Expire the cookie, giving a non-empty dummy value (bug 268146).
- $self->send_cookie(
- '-name' => $name,
- '-expires' => 'Tue, 15-Sep-1998 21:49:00 GMT',
- '-value' => 'X'
- );
-}
-
-1;