From 9cc1d409eba799feaab7b9659dbcf49943155532 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sat, 21 Feb 2015 13:29:10 +0000 Subject: [PATCH] harden login page by no longer using www.groupware.org to load social media icons --- phpgwapi/inc/class.egw_framework.inc.php | 50 +++++++++++++++---- phpgwapi/js/login.js | 34 +++++++------ .../default/images/login_contact.svg | 21 ++++++++ .../default/images/login_facebook.svg | 19 +++++++ .../default/images/login_twitter.svg | 24 +++++++++ 5 files changed, 123 insertions(+), 25 deletions(-) create mode 100644 phpgwapi/templates/default/images/login_contact.svg create mode 100644 phpgwapi/templates/default/images/login_facebook.svg create mode 100644 phpgwapi/templates/default/images/login_twitter.svg diff --git a/phpgwapi/inc/class.egw_framework.inc.php b/phpgwapi/inc/class.egw_framework.inc.php index 65ad82747b..88aa4193d3 100644 --- a/phpgwapi/inc/class.egw_framework.inc.php +++ b/phpgwapi/inc/class.egw_framework.inc.php @@ -180,18 +180,50 @@ abstract class egw_framework //error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace()); } } - //error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace()); + //error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_connect_src_attrs)).' '.function_backtrace()); return implode(' ', self::$csp_connect_src_attrs); } /** - * Query additional CSP frame-src from current app + * Additional attributes or urls for CSP frame-src 'self' * - * @return array + * @var array */ - protected function _get_csp_frame_src() + private static $csp_frame_src_attrs; + + /** + * Set/get Content-Security-Policy attributes for frame-src: + * + * Calling this method with an empty array sets no frame-src, but "'self'"! + * + * @param string|array $set =array() URL (incl. protocol!) + * @return string with attributes eg. "'unsafe-inline'" + */ + public static function csp_frame_src_attrs($set=null) { - return $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp']); + // set frame-src attrs of API and apps via hook + if (!isset(self::$csp_frame_src_attrs) && !isset($set)) + { + $frame_src = array('manual.egroupware.org', 'www.egroupware.org'); + if (($additional = $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp']))) + { + $frame_src = array_unique(array_merge($frame_src, $additional)); + } + return self::csp_frame_src_attrs($frame_src); + } + + if (!isset(self::$csp_frame_src_attrs)) self::$csp_frame_src_attrs = array(); + + foreach((array)$set as $attr) + { + if (!in_array($attr, self::$csp_frame_src_attrs)) + { + self::$csp_frame_src_attrs[] = $attr; + //error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace()); + } + } + //error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_frame_src_attrs)).' '.function_backtrace()); + return implode(' ', self::$csp_frame_src_attrs); } /** @@ -207,13 +239,10 @@ abstract class egw_framework // - "connect-src 'self'" allows ajax requests only to self // - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need // - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org - $frame_src = array("'self'", 'manual.egroupware.org', 'www.egroupware.org'); - if (($additional = $this->_get_csp_frame_src())) $frame_src = array_unique(array_merge($frame_src, $additional)); - $csp = "script-src 'self' ".self::csp_script_src_attrs(). "; connect-src 'self' ".self::csp_connect_src_attrs(). "; style-src 'self' ".self::csp_style_src_attrs(). - "; frame-src ".implode(' ', $frame_src); + "; frame-src 'self' ".self::csp_frame_src_attrs(); //$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything header("Content-Security-Policy: $csp"); @@ -512,8 +541,7 @@ abstract class egw_framework */ function login_screen($extra_vars) { - //allow to include JSONP file with social media urls from egroupware.org - self::csp_script_src_attrs('https://www.egroupware.org'); + self::csp_frame_src_attrs(array()); // array() no external frame-sources //error_log(__METHOD__."() server[template_dir]=".array2string($GLOBALS['egw_info']['server']['template_dir']).", this->template=$this->template, this->template_dir=$this->template_dir, get_class(this)=".get_class($this)); $tmpl = new Template($GLOBALS['egw_info']['server']['template_dir']); diff --git a/phpgwapi/js/login.js b/phpgwapi/js/login.js index 0fff07bc79..26820641fb 100644 --- a/phpgwapi/js/login.js +++ b/phpgwapi/js/login.js @@ -1,19 +1,19 @@ -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. +/** + * EGroupware login page javascript + * + * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License + * @package etemplate + * @subpackage api + * @link http://www.egroupware.org + * @version $Id$ */ - -egw_LAB.wait(function() { - $j.ajax('https://www.egroupware.org/social.js', { - dataType: "jsonp", - jsonp: false, - jsonpCallback: "do_social", - cache: true - }).done(function(_data) +egw_LAB.wait(function() +{ + $j(document).ready(function() { - $j(document).ready(function() { + function do_social(_data) + { var isPixelegg = $j('link[href*="pixelegg.css"]')[0]; var social = $j(document.createElement('div')) .attr({ @@ -34,6 +34,12 @@ egw_LAB.wait(function() { .append($j(document.createElement('img')) .attr('src', data.svg)); } - }); + } + + do_social([ + { "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_contact.svg", "url": "https://www.egroupware.org/en/contact.html", "lang": { "de": "https://www.egroupware.org/de/kontakt.html" }}, + { "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_facebook.svg", "url": "https://www.facebook.com/egroupware" }, + { "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_twitter.svg", "url": "https://twitter.com/egroupware" } + ]); }); }); diff --git a/phpgwapi/templates/default/images/login_contact.svg b/phpgwapi/templates/default/images/login_contact.svg new file mode 100644 index 0000000000..5ce8142435 --- /dev/null +++ b/phpgwapi/templates/default/images/login_contact.svg @@ -0,0 +1,21 @@ + + + + + + + + + + + diff --git a/phpgwapi/templates/default/images/login_facebook.svg b/phpgwapi/templates/default/images/login_facebook.svg new file mode 100644 index 0000000000..11f9e72b08 --- /dev/null +++ b/phpgwapi/templates/default/images/login_facebook.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + diff --git a/phpgwapi/templates/default/images/login_twitter.svg b/phpgwapi/templates/default/images/login_twitter.svg new file mode 100644 index 0000000000..4fcc581878 --- /dev/null +++ b/phpgwapi/templates/default/images/login_twitter.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + +