From 15661bf793105352c3cf0d84d6c7e790be838a78 Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Mon, 21 May 2018 11:42:29 -0400 Subject: revert some bad ideas --- Bugzilla/CGI.pm | 57 +++++++++++++++++++++++++++++------ Bugzilla/CGI/Role.pm | 84 ---------------------------------------------------- 2 files changed, 48 insertions(+), 93 deletions(-) delete mode 100644 Bugzilla/CGI/Role.pm (limited to 'Bugzilla') diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 2dedbc5f3..495cb4769 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -24,10 +24,6 @@ use Bugzilla::Search::Recent; use File::Basename; use URI; -use Role::Tiny::With; - -with 'Bugzilla::CGI::Role'; - BEGIN { if (ON_WINDOWS) { # Help CGI find the correct temp directory as the default list @@ -37,6 +33,35 @@ BEGIN { *AUTOLOAD = \&CGI::AUTOLOAD; } +sub DEFAULT_CSP { + my %policy = ( + default_src => [ 'self' ], + script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ], + frame_src => [ 'none', ], + worker_src => [ 'none', ], + img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ], + style_src => [ 'self', 'unsafe-inline' ], + object_src => [ 'none' ], + connect_src => [ + 'self', + # This is from extensions/OrangeFactor/web/js/orange_factor.js + 'https://treeherder.mozilla.org/api/failurecount/', + ], + form_action => [ + 'self', + # used in template/en/default/search/search-google.html.tmpl + 'https://www.google.com/search' + ], + frame_ancestors => [ 'none' ], + report_only => 1, + ); + if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) { + push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login'; + } + + return %policy; +} + # Because show_bug code lives in many different .cgi files, # we needed a centralized place to define the policy. # normally the policy would just live in one .cgi file. @@ -168,16 +193,30 @@ sub target_uri { } } -sub set_csp_object { - my ( $self, $object ) = @_; +sub content_security_policy { + my ($self, %add_params) = @_; + if (%add_params || !$self->{Bugzilla_csp}) { + my %params = DEFAULT_CSP; + delete $params{report_only} if %add_params && !$add_params{report_only}; + foreach my $key (keys %add_params) { + if (defined $add_params{$key}) { + $params{$key} = $add_params{$key}; + } + else { + delete $params{$key}; + } + } + $self->{Bugzilla_csp} = Bugzilla::CGI::ContentSecurityPolicy->new(%params); + } - $self->{Bugzilla_csp} = $object; + return $self->{Bugzilla_csp}; } -sub csp_object { +sub csp_nonce { my ($self) = @_; - return $self->{Bugzilla_csp}; + my $csp = $self->content_security_policy; + return $csp->has_nonce ? $csp->nonce : ''; } # We want this sorted plus the ability to exclude certain params diff --git a/Bugzilla/CGI/Role.pm b/Bugzilla/CGI/Role.pm deleted file mode 100644 index 33807eb7e..000000000 --- a/Bugzilla/CGI/Role.pm +++ /dev/null @@ -1,84 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -# -# This Source Code Form is "Incompatible With Secondary Licenses", as -# defined by the Mozilla Public License, v. 2.0. - -package Bugzilla::CGI::Role; -use 5.10.1; -use strict; -use warnings; -use Role::Tiny; - -requires 'csp_object', 'set_csp_object'; - -sub DEFAULT_CSP { - my %policy = ( - default_src => [ 'self' ], - script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ], - frame_src => [ 'none', ], - worker_src => [ 'none', ], - img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ], - style_src => [ 'self', 'unsafe-inline' ], - object_src => [ 'none' ], - connect_src => [ - 'self', - # This is from extensions/OrangeFactor/web/js/orange_factor.js - 'https://treeherder.mozilla.org/api/failurecount/', - ], - form_action => [ - 'self', - # used in template/en/default/search/search-google.html.tmpl - 'https://www.google.com/search' - ], - frame_ancestors => [ 'none' ], - report_only => 1, - ); - if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) { - push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login'; - } - - return %policy; -} - -sub content_security_policy { - my ($self, %add_params) = @_; - if (%add_params || !$self->csp_object) { - my %params = DEFAULT_CSP; - delete $params{report_only} if %add_params && !$add_params{report_only}; - foreach my $key (keys %add_params) { - if (defined $add_params{$key}) { - $params{$key} = $add_params{$key}; - } - else { - delete $params{$key}; - } - } - $self->set_csp_object( Bugzilla::CGI::ContentSecurityPolicy->new(%params) ); - } - - return $self->csp_object; -} - -sub csp_nonce { - my ($self) = @_; - - my $csp = $self->content_security_policy; - return $csp->has_nonce ? $csp->nonce : ''; -} - -# Cookies are removed by setting an expiry date in the past. -# This method is a send_cookie wrapper doing exactly this. -sub remove_cookie { - my ($self, $name) = @_; - - # Expire the cookie, giving a non-empty dummy value (bug 268146). - $self->send_cookie( - '-name' => $name, - '-expires' => 'Tue, 15-Sep-1998 21:49:00 GMT', - '-value' => 'X' - ); -} - -1; -- cgit v1.2.3-24-g4f1b