summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2018-02-20 15:11:48 +0100
committerDylan William Hardison <dylan@hardison.net>2018-02-20 15:11:54 +0100
commit3bd95a4452433e68b21935463cb9e6b07ff4e449 (patch)
tree07ad59b04f34f9ecebcc167089e178c288326a7a /Bugzilla
parent9ceb2e0a1564aa2d059646bc704f21283507ac9e (diff)
downloadbugzilla-3bd95a4452433e68b21935463cb9e6b07ff4e449.tar.gz
bugzilla-3bd95a4452433e68b21935463cb9e6b07ff4e449.tar.xz
Bug 1432296 - Prevent bugzilla static assets from being blocked by overly long request URIs
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/CGI.pm16
1 files changed, 13 insertions, 3 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 651c31bad..35d6dd687 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -491,6 +491,11 @@ sub _prevent_unsafe_response {
}
}
+sub should_block_referrer {
+ my ($self) = @_;
+ return length($self->self_url) > 8000;
+}
+
# Override header so we can add the cookies in
sub header {
my $self = shift;
@@ -570,15 +575,20 @@ sub header {
# the MIME type away from the declared Content-Type.
$headers{'-x_content_type_options'} = 'nosniff';
- my $csp = $self->content_security_policy;
- $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable;
-
Bugzilla::Hook::process('cgi_headers',
{ cgi => $self, headers => \%headers }
);
$self->{_header_done} = 1;
if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) {
+ if ($self->should_block_referrer) {
+ $headers{'-referrer_policy'} = 'origin';
+ }
+ my $csp = $self->content_security_policy;
+ if (defined $csp && !$csp->disable) {
+ $csp->add_cgi_headers(\%headers)
+ }
+
my @fonts = (
"skins/standard/fonts/FiraMono-Regular.woff2?v=3.202",
"skins/standard/fonts/FiraSans-Bold.woff2?v=4.203",