From 541e2b41af8cc44ad3eb0638618bc457c666d612 Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Sat, 7 Apr 2018 19:20:00 -0400 Subject: a bit of a quantum leap It's now possible to load the CGIs into a mojolicious controller. Compatibility isn't 100% yet, but it should give a migration path for any random CGI to become a proper controller. --- Bugzilla/CGI.pm | 57 +++++++++------------------------------------------------ 1 file changed, 9 insertions(+), 48 deletions(-) (limited to 'Bugzilla/CGI.pm') diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 03805ad1e..bfd2a72f6 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -24,6 +24,10 @@ use Bugzilla::Search::Recent; use File::Basename; use URI; +use Role::Tiny::With; + +with 'Bugzilla::CGI::ContentSecurityPolicyAttr'; + BEGIN { if (ON_WINDOWS) { # Help CGI find the correct temp directory as the default list @@ -33,35 +37,6 @@ BEGIN { *AUTOLOAD = \&CGI::AUTOLOAD; } -sub DEFAULT_CSP { - my %policy = ( - default_src => [ 'self' ], - script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ], - frame_src => [ 'none', ], - worker_src => [ 'none', ], - img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ], - style_src => [ 'self', 'unsafe-inline' ], - object_src => [ 'none' ], - connect_src => [ - 'self', - # This is from extensions/OrangeFactor/web/js/orange_factor.js - 'https://treeherder.mozilla.org/api/failurecount/', - ], - form_action => [ - 'self', - # used in template/en/default/search/search-google.html.tmpl - 'https://www.google.com/search' - ], - frame_ancestors => [ 'none' ], - report_only => 1, - ); - if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) { - push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login'; - } - - return %policy; -} - # Because show_bug code lives in many different .cgi files, # we needed a centralized place to define the policy. # normally the policy would just live in one .cgi file. @@ -193,30 +168,16 @@ sub target_uri { } } -sub content_security_policy { - my ($self, %add_params) = @_; - if (%add_params || !$self->{Bugzilla_csp}) { - my %params = DEFAULT_CSP; - delete $params{report_only} if %add_params && !$add_params{report_only}; - foreach my $key (keys %add_params) { - if (defined $add_params{$key}) { - $params{$key} = $add_params{$key}; - } - else { - delete $params{$key}; - } - } - $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params); - } +sub set_csp_object { + my ( $self, $object ) = @_; - return $self->{Bugzilla_csp}; + $self->{Bugzilla_csp} = $object; } -sub csp_nonce { +sub csp_object { my ($self) = @_; - my $csp = $self->content_security_policy; - return $csp->has_nonce ? $csp->nonce : ''; + return $self->{Bugzilla_csp}; } # We want this sorted plus the ability to exclude certain params -- cgit v1.2.3-24-g4f1b