[Pkg-owncloud-commits] [owncloud] 50/55: Backport of #8183 to stable6

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v5.0.16RC1
in repository owncloud.

commit f48b0d9681977434c6a14c5dd0bd37b23f6ca3a8
Author: Robin Appelman <icewind at owncloud.com>
Date:   Wed Apr 23 12:26:59 2014 +0200

    Backport of #8183 to stable6
---
 lib/base.php     | 29 +++++++++++++++++++++++++++++
 lib/json.php     |  2 --
 lib/template.php | 22 ----------------------
 3 files changed, 29 insertions(+), 24 deletions(-)

diff --git a/lib/base.php b/lib/base.php
index 3c3c13c..a17cf19 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -245,6 +245,34 @@ class OC {
 		}
 	}
 
+	/*
+	* This function adds some security related headers to all requests served via base.php
+	* The implementation of this function has to happen here to ensure that all third-party
+	* components (e.g. SabreDAV) also benefit from this headers.
+	*/
+	public static function addSecurityHeaders() {
+		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+
+		// iFrame Restriction Policy
+		$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+		if ($xFramePolicy) {
+			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+		}
+
+		// Content Security Policy
+		// If you change the standard policy, please also change it in config.sample.php
+		$policy = OC_Config::getValue('custom_csp_policy',
+			'default-src \'self\'; '
+			. 'script-src \'self\' \'unsafe-eval\'; '
+			. 'style-src \'self\' \'unsafe-inline\'; '
+			. 'frame-src *; '
+			. 'img-src *; '
+			. 'font-src \'self\' data:; '
+			. 'media-src *');
+		header('Content-Security-Policy:' . $policy);
+	}
+
 	public static function checkSSL() {
 		// redirect to https site if configured
 		if (OC_Config::getValue("forcessl", false)) {
@@ -479,6 +507,7 @@ class OC {
 		self::checkConfig();
 		self::checkInstalled();
 		self::checkSSL();
+		self::addSecurityHeaders();
 		self::initSession();
 
 		$errors = OC_Util::checkServer();
diff --git a/lib/json.php b/lib/json.php
index f929e95..5e2c762 100644
--- a/lib/json.php
+++ b/lib/json.php
@@ -104,8 +104,6 @@ class OC_JSON{
 	* Encode and print $data in json format
 	*/
 	public static function encodedPrint($data, $setContentType=true) {
-		// Disable mimesniffing, don't move this to setContentTypeHeader!
-		header( 'X-Content-Type-Options: nosniff' );
 		if($setContentType) {
 			self::setContentTypeHeader();
 		}
diff --git a/lib/template.php b/lib/template.php
index 2f53533..199e0f6 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -185,28 +185,6 @@ class OC_Template{
 		$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
 		$this->l10n = OC_L10N::get($parts[0]);
 
-		// Some headers to enhance security
-		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
-		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
-
-		// iFrame Restriction Policy
-		$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
-		if($xFramePolicy) {
-			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
-		}
-		
-		// Content Security Policy
-		// If you change the standard policy, please also change it in config.sample.php
-		$policy = OC_Config::getValue('custom_csp_policy',
-			'default-src \'self\'; '
-			.'script-src \'self\' \'unsafe-eval\'; '
-			.'style-src \'self\' \'unsafe-inline\'; '
-			.'frame-src *; '
-			.'img-src *; '
-			.'font-src \'self\' data:; '
-			.'media-src *');
-		header('Content-Security-Policy:'.$policy); // Standard
-
 		$this->findTemplate($name);
 	}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git