extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-29 11:23:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

to mitigate html download with CSP: no blacklisting just IE, only whitelist tested browsers and versions

Browse Source
This commit is contained in:
Ralf Becker 2013-10-01 09:51:06 +00:00
parent 06c7265cea
commit c6d2a0c6ce
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
phpgwapi/inc/class.vfs_webdav_server.inc.php
View File

@ -669,16 +669,23 @@ class vfs_webdav_server extends HTTP_WebDAV_Server_Filesystem
// mitigate risk of html downloads by using CSP or force download for IE // mitigate risk of html downloads by using CSP or force download for IE
if (!$this->force_download && in_array($options['mimetype'], array('text/html', 'application/xhtml+xml'))) if (!$this->force_download && in_array($options['mimetype'], array('text/html', 'application/xhtml+xml')))
{ {
if (html::$user_agent == 'msie') // according to http://caniuse.com/contentsecuritypolicy not supported in IE // use CSP only for current user-agents/versions I was able to positivly test
{ if (html::$user_agent == 'chrome' && html::$ua_version >= 24 ||
$this->force_download = true; // mobile FF 24 on Android does NOT honor CSP!
} html::$user_agent == 'firefox' && !html::$ua_mobile && html::$ua_version >= 24 ||
else html::$user_agent == 'safari' && !html::$ua_mobile && html::$ua_version >= 536 || // OS X
html::$user_agent == 'safari' && html::$ua_mobile && html::$ua_version >= 9537) // iOS 7
{ {
$csp = "script-src 'none'"; // forbid to execute any javascript $csp = "script-src 'none'"; // forbid to execute any javascript
header("Content-Security-Policy: $csp"); header("Content-Security-Policy: $csp");
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
header("X-Content-Security-Policy: $csp"); // FF <= 22 //header("X-Content-Security-Policy: $csp"); // FF <= 22
//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-Security-Policy: $csp");
}
else // everything else get's a Content-dispostion: attachment, to be on save side
{
//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-disposition: attachment");
$this->force_download = true;
} }
} }
if ($this->force_download) if ($this->force_download)