summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2017-01-25 21:04:07 +0100
committerDylan William Hardison <dylan@hardison.net>2017-01-25 21:04:21 +0100
commit6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5 (patch)
tree28aea39d85e63a901744c6319f6dc06884040daf /Bugzilla
parentec963661fb29c191fec645a956cbddc670cfa3da (diff)
downloadbugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.gz
bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.xz
Bug 1286290 - CSP compliant bug modal
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/CGI.pm46
-rw-r--r--Bugzilla/CGI/ContentSecurityPolicy.pm1
-rw-r--r--Bugzilla/Template.pm5
3 files changed, 44 insertions, 8 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 78987ab71..91dec7e72 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -33,13 +33,41 @@ BEGIN {
use constant DEFAULT_CSP => (
default_src => [ 'self' ],
- script_src => [ 'self', 'https://login.persona.org', 'unsafe-inline', 'unsafe-eval' ],
- child_src => [ 'self', 'https://login.persona.org' ],
+ script_src => [ 'self', 'unsafe-inline', 'unsafe-eval' ],
+ child_src => [ 'self', ],
img_src => [ 'self', 'https://secure.gravatar.com' ],
style_src => [ 'self', 'unsafe-inline' ],
- disable => 1,
+ object_src => [ 'none' ],
+ form_action => [
+ 'self',
+ # used in template/en/default/search/search-google.html.tmpl
+ 'https://www.google.com/search'
+ ],
+ frame_ancestors => [ 'none' ],
+ disable => 1,
);
+# Because show_bug code lives in many different .cgi files,
+# we needed a centralized place to define the policy.
+# normally the policy would just live in one .cgi file.
+# Additionally, correct_urlbase() cannot be called at compile time, so this can't be a constant.
+sub SHOW_BUG_MODAL_CSP {
+ return (
+ script_src => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval' ],
+ object_src => [correct_urlbase() . "extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf"],
+ connect_src => [
+ 'self',
+ # This is from extensions/OrangeFactor/web/js/orange_factor.js
+ 'https://brasstacks.mozilla.com/orangefactor/api/count',
+ ],
+ child_src => [
+ 'self',
+ # This is for the socorro lens addon and is to be removed by Bug 1332016
+ 'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm'
+ ],
+ );
+}
+
sub _init_bz_cgi_globals {
my $invocant = shift;
# We need to disable output buffering - see bug 179174
@@ -143,9 +171,9 @@ sub content_security_policy {
my ($self, %add_params) = @_;
if (Bugzilla->has_feature('csp')) {
require Bugzilla::CGI::ContentSecurityPolicy;
- return $self->{Bugzilla_csp} if $self->{Bugzilla_csp};
- my %params = DEFAULT_CSP;
- if (%add_params) {
+ if (%add_params || !$self->{Bugzilla_csp}) {
+ my %params = DEFAULT_CSP;
+ delete $params{disable} if %add_params && !$add_params{disable};
foreach my $key (keys %add_params) {
if (defined $add_params{$key}) {
$params{$key} = $add_params{$key};
@@ -154,8 +182,10 @@ sub content_security_policy {
delete $params{$key};
}
}
+ $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params);
}
- return $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params);
+
+ return $self->{Bugzilla_csp};
}
return undef;
}
@@ -455,7 +485,7 @@ sub header {
$headers{'-x_content_type_options'} = 'nosniff';
my $csp = $self->content_security_policy;
- $csp->add_cgi_headers(\%headers) if defined $csp;
+ $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable;
Bugzilla::Hook::process('cgi_headers',
{ cgi => $self, headers => \%headers }
diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm
index 74bce6374..022d49b44 100644
--- a/Bugzilla/CGI/ContentSecurityPolicy.pm
+++ b/Bugzilla/CGI/ContentSecurityPolicy.pm
@@ -37,6 +37,7 @@ my @ALL_SRC = qw(
default_src child_src connect_src
font_src img_src media_src
object_src script_src style_src
+ frame_ancestors form_action
);
has \@ALL_SRC => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 );
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index eb1496fca..2887f0138 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -1000,6 +1000,11 @@ sub create {
# Currenly active language
'current_language' => sub { return Bugzilla->current_language; },
+ 'script_nonce' => sub {
+ my $cgi = Bugzilla->cgi;
+ return $cgi->csp_nonce ? sprintf('nonce="%s"', $cgi->csp_nonce) : '';
+ },
+
# If an sudo session is in progress, this is the user who
# started the session.
'sudoer' => sub { return Bugzilla->sudoer; },