forked from extern/egroupware
* Spellchecker: marking "browser based" (default for new installs) and "No" as safer and fixing CSP policy for web-spell-checker
This commit is contained in:
Ralf Becker
parent
fe2e78f628
commit
20179f1767
@ -92,10 +92,10 @@
|
||||
<td>{lang_Enable_spellcheck_in_rich_text_editor}:</td>
|
||||
<td>
|
||||
<select name="newsettings[enabled_spellcheck]">
|
||||
<option value="">{lang_No}</option>
|
||||
<option value="">{lang_No} - {lang_more_secure}</option>
|
||||
<option value="True"{selected_enabled_spellcheck_True}>{lang_Yes}</option>
|
||||
<option value="YesNoSCAYT"{selected_enabled_spellcheck_YesNoSCAYT}>{lang_Yes,_but_no_SCAYT}</option>
|
||||
<option value="YesBrowserBased"{selected_enabled_spellcheck_YesBrowserBased}>{lang_Yes,_use_browser_based_spell_checking_engine}</option>
|
||||
<option value="YesBrowserBased"{selected_enabled_spellcheck_YesBrowserBased}>{lang_Yes,_use_browser_based_spell_checking_engine} - {lang_more_secure}</option>
|
||||
<option value="YesUseWebSpellCheck"{selected_enabled_spellcheck_YesUseWebSpellCheck}>{lang_Yes,_use_WebSpellChecker}</option>
|
||||
</select>
|
||||
</td>
|
||||
@ -266,15 +266,6 @@
|
||||
</tr>
|
||||
-->
|
||||
|
||||
<tr class="row_off">
|
||||
<td>{lang_Enable_the_soap_service} {lang_(default_No,_leave_it_off_if_you_dont_use_it)}:</td>
|
||||
<td>
|
||||
<select name="newsettings[soap_enabled]">
|
||||
<option value="">{lang_No}</option>
|
||||
<option value="True"{selected_soap_enabled_True}>{lang_Yes}</option>
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
<tr class="row_on">
|
||||
<td>{lang_How_many_entries_should_non-admins_be_able_to_export_(empty_=_no_limit,_no_=_no_export)}:<br />{lang_This_controls_exports_and_merging.}</td>
|
||||
<td><input name="newsettings[export_limit]" value="{value_export_limit}" size="5"></td>
|
||||
|
||||
@ -422,6 +422,11 @@ class egw_ckeditor_config
|
||||
return json_encode(self::get_ckeditor_config_array($mode, $height, $expanded_toolbar, $start_path));
|
||||
}
|
||||
|
||||
/**
|
||||
* URL webspellchecker uses for scripts and style-sheets
|
||||
*/
|
||||
const WEBSPELLCHECK_HOST = 'svc.webspellchecker.net';
|
||||
|
||||
/**
|
||||
* Set for CK-Editor necessary CSP script-src attributes
|
||||
*
|
||||
@ -430,11 +435,14 @@ class egw_ckeditor_config
|
||||
public static function set_csp_script_src_attrs()
|
||||
{
|
||||
$attrs = array('unsafe-eval', 'unsafe-inline');
|
||||
$url = ($_SERVER['HTTPS'] ? 'https://' : 'http://').self::WEBSPELLCHECK_HOST;
|
||||
|
||||
// if webspellchecker is enabled in EGroupware config, allow access to it's url
|
||||
if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
|
||||
{
|
||||
$attrs[] = 'https://svc.webspellchecker.net';
|
||||
$attrs[] = $url;
|
||||
|
||||
egw_framework::csp_style_src_attrs($url);
|
||||
}
|
||||
//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
|
||||
// tell framework CK Editor needs eval and inline javascript :(
|
||||
|
||||
@ -101,7 +101,7 @@ abstract class egw_framework
|
||||
*
|
||||
* EGroupware itself currently still requires 'unsafe-eval'!
|
||||
*
|
||||
* @param string|array $set=array() 'unsafe-eval' and/or 'unsafe-inline' (without quotes!)
|
||||
* @param string|array $set =array() 'unsafe-eval' and/or 'unsafe-inline' (without quotes!) or URL (incl. protocol!)
|
||||
* @return string with attributes eg. "'unsafe-eval' 'unsafe-inline'"
|
||||
*/
|
||||
public static function csp_script_src_attrs($set=null)
|
||||
@ -122,6 +122,41 @@ abstract class egw_framework
|
||||
return implode(' ', self::$csp_script_src_attrs);
|
||||
}
|
||||
|
||||
/**
|
||||
* Additional attributes or urls for CSP style-src 'self'
|
||||
*
|
||||
* 'unsafe-inline' is currently allways added, as it is used in a couple of places.
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
private static $csp_style_src_attrs = array("'unsafe-inline'");
|
||||
|
||||
/**
|
||||
* Set/get Content-Security-Policy attributes for style-src: 'unsafe-inline'
|
||||
*
|
||||
* EGroupware itself currently still requires 'unsafe-inline'!
|
||||
*
|
||||
* @param string|array $set =array() 'unsafe-inline' (without quotes!) and/or URL (incl. protocol!)
|
||||
* @return string with attributes eg. "'unsafe-inline'"
|
||||
*/
|
||||
public static function csp_style_src_attrs($set=null)
|
||||
{
|
||||
foreach((array)$set as $attr)
|
||||
{
|
||||
if (in_array($attr, array('none', 'self', 'unsafe-inline')))
|
||||
{
|
||||
$attr = "'$attr'"; // automatic add quotes
|
||||
}
|
||||
if (!in_array($attr, self::$csp_style_src_attrs))
|
||||
{
|
||||
self::$csp_style_src_attrs[] = $attr;
|
||||
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
|
||||
}
|
||||
}
|
||||
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
|
||||
return implode(' ', self::$csp_style_src_attrs);
|
||||
}
|
||||
|
||||
/**
|
||||
* Query additional CSP frame-src from current app
|
||||
*
|
||||
@ -146,11 +181,13 @@ abstract class egw_framework
|
||||
// - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need
|
||||
// - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
|
||||
$frame_src = array("'self'", 'manual.egroupware.org');
|
||||
if (($additional = $this->_get_csp_frame_src())) $frame_src = array_merge($frame_src, $additional);
|
||||
if (($additional = $this->_get_csp_frame_src())) $frame_src = array_unique(array_merge($frame_src, $additional));
|
||||
|
||||
$csp = "script-src 'self' ".self::csp_script_src_attrs().
|
||||
"; connect-src 'self'".
|
||||
"; style-src 'self' ".self::csp_style_src_attrs().
|
||||
"; frame-src ".implode(' ', $frame_src);
|
||||
|
||||
$csp = "script-src 'self' ".($script_attrs=self::csp_script_src_attrs()).
|
||||
"; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src ".implode(' ', $frame_src);
|
||||
//error_log(__METHOD__."() script_attrs=$script_attrs");
|
||||
//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything
|
||||
header("Content-Security-Policy: $csp");
|
||||
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
|
||||
@ -446,7 +483,7 @@ abstract class egw_framework
|
||||
{
|
||||
//allow to include JSONP file with social media urls from egroupware.org
|
||||
self::csp_script_src_attrs('https://www.egroupware.org');
|
||||
|
||||
|
||||
//error_log(__METHOD__."() server[template_dir]=".array2string($GLOBALS['egw_info']['server']['template_dir']).", this->template=$this->template, this->template_dir=$this->template_dir, get_class(this)=".get_class($this));
|
||||
$tmpl = new Template($GLOBALS['egw_info']['server']['template_dir']);
|
||||
|
||||
|
||||
@ -240,8 +240,8 @@ class setup_process
|
||||
{
|
||||
unset($current_config['aspell_path']);
|
||||
}
|
||||
// always enable spellchecker, ckeditor now uses spell-as-you-type via a public webservice
|
||||
$current_config['enabled_spellcheck'] = 'True';
|
||||
// always enable browser based spellchecker
|
||||
$current_config['enabled_spellcheck'] = 'YesBrowserBased';
|
||||
|
||||
// always enable history logging for calendar, addressbook and infolog
|
||||
$current_config['history'] = 'history'; // addressbook: only admin
|
||||
|
||||
Loading…
Reference in New Issue
Block a user