[Pkg-owncloud-commits] [owncloud] 03/32: Backport of #8183 to stable6
David Prévot
taffit at moszumanska.debian.org
Wed Apr 23 18:58:59 UTC 2014
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository owncloud.
commit 9f1788f202d93d0be13be5b8db1e828450a8f7d6
Author: Lukas Reschke <lukas at statuscode.ch>
Date: Fri Apr 18 11:13:47 2014 +0200
Backport of #8183 to stable6
Some headers were currently only added to the templates but not to
other components (e.g. SabreDAV / JSON / etc...)
The migration to base.php ensures that the headers are served to all
requests passing base.php
---
lib/base.php | 29 +++++++++++++++++++++++++++++
lib/private/json.php | 2 --
lib/private/template.php | 23 -----------------------
3 files changed, 29 insertions(+), 25 deletions(-)
diff --git a/lib/base.php b/lib/base.php
index dba905f..b594aa4 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -206,6 +206,34 @@ class OC {
}
}
+ /*
+ * This function adds some security related headers to all requests served via base.php
+ * The implementation of this function has to happen here to ensure that all third-party
+ * components (e.g. SabreDAV) also benefit from this headers.
+ */
+ public static function addSecurityHeaders() {
+ header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+
+ // iFrame Restriction Policy
+ $xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+ if($xFramePolicy) {
+ header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+ }
+
+ // Content Security Policy
+ // If you change the standard policy, please also change it in config.sample.php
+ $policy = OC_Config::getValue('custom_csp_policy',
+ 'default-src \'self\'; '
+ .'script-src \'self\' \'unsafe-eval\'; '
+ .'style-src \'self\' \'unsafe-inline\'; '
+ .'frame-src *; '
+ .'img-src *; '
+ .'font-src \'self\' data:; '
+ .'media-src *');
+ header('Content-Security-Policy:'.$policy);
+ }
+
public static function checkSSL() {
// redirect to https site if configured
if (OC_Config::getValue("forcessl", false)) {
@@ -516,6 +544,7 @@ class OC {
self::checkConfig();
self::checkInstalled();
self::checkSSL();
+ self::addSecurityHeaders();
$errors = OC_Util::checkServer();
if (count($errors) > 0) {
diff --git a/lib/private/json.php b/lib/private/json.php
index d7a4b5a..4108b3a 100644
--- a/lib/private/json.php
+++ b/lib/private/json.php
@@ -118,8 +118,6 @@ class OC_JSON{
* Encode and print $data in json format
*/
public static function encodedPrint($data, $setContentType=true) {
- // Disable mimesniffing, don't move this to setContentTypeHeader!
- header( 'X-Content-Type-Options: nosniff' );
if($setContentType) {
self::setContentTypeHeader();
}
diff --git a/lib/private/template.php b/lib/private/template.php
index b2c3a20..4519ae8 100644
--- a/lib/private/template.php
+++ b/lib/private/template.php
@@ -64,29 +64,6 @@ class OC_Template extends \OC\Template\Base {
$this->path = $path;
parent::__construct($template, $requesttoken, $l10n, $themeDefaults);
-
- // Some headers to enhance security
- header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
- header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
-
- // iFrame Restriction Policy
- $xFramePolicy = OC_Config::getValue('xframe_restriction', true);
- if($xFramePolicy) {
- header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
- }
-
- // Content Security Policy
- // If you change the standard policy, please also change it in config.sample.php
- $policy = OC_Config::getValue('custom_csp_policy',
- 'default-src \'self\'; '
- .'script-src \'self\' \'unsafe-eval\'; '
- .'style-src \'self\' \'unsafe-inline\'; '
- .'frame-src *; '
- .'img-src *; '
- .'font-src \'self\' data:; '
- .'media-src *');
- header('Content-Security-Policy:'.$policy); // Standard
-
}
/**
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list