N°3317 Security hardening

application/ajaxwebpage.class.inc.php

@@ -42,21 +42,22 @@ class ajax_page extends WebPage implements iTabbedPage
      */	  
 	function __construct($s_title)
     {
-		$sPrintable = utils::ReadParam('printable', '0');
-		$bPrintable = ($sPrintable == '1');
+	    $sPrintable = utils::ReadParam('printable', '0');
+	    $bPrintable = ($sPrintable == '1');
 
-        parent::__construct($s_title, $bPrintable);
-        $this->m_sReadyScript = "";
-		//$this->add_header("Content-type: text/html; charset=utf-8");
-		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
+	    parent::__construct($s_title, $bPrintable);
+	    $this->m_sReadyScript = "";
+	    //$this->add_header("Content-type: text/html; charset=utf-8");
+	    $this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 	    $this->add_header('Pragma: no-cache');
 	    $this->add_header('Expires: 0');
-		$this->m_oTabs = new TabManager();
-		$this->sContentType = 'text/html';
-		$this->sContentDisposition = 'inline';
-		$this->m_sMenu = "";
+	    $this->add_header('X-Frame-Options: deny');
+	    $this->m_oTabs = new TabManager();
+	    $this->sContentType = 'text/html';
+	    $this->sContentDisposition = 'inline';
+	    $this->m_sMenu = "";
 
-		utils::InitArchiveMode();
+	    utils::InitArchiveMode();
     }
 
 	public function AddTabContainer($sTabContainer, $sPrefix = '')

application/csvpage.class.inc.php

@@ -31,12 +31,13 @@ class CSVPage extends WebPage
 {
     function __construct($s_title)
     {
-        parent::__construct($s_title);
+	    parent::__construct($s_title);
 	    $this->add_header("Content-type: text/plain; charset=utf-8");
 	    $this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 	    $this->add_header('Pragma: no-cache');
 	    $this->add_header('Expires: 0');
-		//$this->add_header("Content-Transfer-Encoding: binary");
+	    $this->add_header('X-Frame-Options: deny');
+	    //$this->add_header("Content-Transfer-Encoding: binary");
     }	
 
     public function output()

application/itopwebpage.class.inc.php

@@ -75,6 +75,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 		$this->add_header('Pragma: no-cache');
 		$this->add_header('Expires: 0');
+		$this->add_header('X-Frame-Options: deny');
 		$this->add_linked_stylesheet("../css/jquery.treeview.css");
 		$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
 		$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");

application/loginwebpage.class.inc.php

@@ -62,16 +62,16 @@ class LoginWebPage extends NiceWebPage
 	
 	public function __construct($sTitle = null)
 	{
-	    if($sTitle === null)
-        {
-            $sTitle = Dict::S('UI:Login:Title');
-        }
+		if ($sTitle === null) {
+			$sTitle = Dict::S('UI:Login:Title');
+		}
 
 		parent::__construct($sTitle);
 		$this->SetStyleSheet();
 		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 		$this->add_header('Pragma: no-cache');
 		$this->add_header('Expires: 0');
+		$this->add_header('X-Frame-Options: deny');
 	}
 	
 	public function SetStyleSheet()

application/webpage.class.inc.php

@@ -358,6 +358,7 @@ class WebPage implements Page
 		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 		$this->add_header('Pragma: no-cache');
 		$this->add_header('Expires: 0');
+		$this->add_header('X-Frame-Options: deny');
 	}
 
 	/**

application/xmlpage.class.inc.php

@@ -46,8 +46,9 @@ class XMLPage extends WebPage
 		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 		$this->add_header('Pragma: no-cache');
 		$this->add_header('Expires: 0');
+		$this->add_header('X-Frame-Options: deny');
 		$this->add_header("Content-location: export.xml");
-	}	
+	}
 
 	public function output()
 	{

datamodels/2.x/combodo-db-tools/dbtools.php

@@ -570,7 +570,6 @@ try
 	$sPageId = 'db-tools';
 
 	$oP = new iTopWebPage($sPageTitle);
-	$this->m_oPage->add_header('X-Frame-Options: deny');
 	$oP->add_saas('env-'.utils::GetCurrentEnvironment().'/combodo-db-tools/default.scss');
 
 	$oP->add(

datamodels/2.x/itop-backup/status.php

@@ -37,7 +37,6 @@ try
 {
 	$sTransactionId = utils::GetNewTransactionId();
 	$oP = new iTopWebPage(Dict::S('bkp-status-title'));
-	$oP->add_header('X-Frame-Options: deny');
 	$oP->set_base(utils::GetAbsoluteUrlAppRoot().'pages/');
 
 	$oP->add("<h1>".Dict::S('bkp-status-title')."</h1>");

datamodels/2.x/itop-config/config.php

@@ -100,7 +100,6 @@ ApplicationMenu::CheckMenuIdEnabled('ConfigEditor');
 //$oAppContext = new ApplicationContext();
 
 $oP = new iTopWebPage(Dict::S('config-edit-title'));
-$oP->add_header('X-Frame-Options: deny');
 $oP->set_base(utils::GetAbsoluteUrlAppRoot().'pages/');
 $oP->add_linked_script(utils::GetCurrentModuleUrl().'/js/ace.js');
 $oP->add_linked_script(utils::GetCurrentModuleUrl().'/js/mode-php.js');

pages/UI.php

@@ -1780,7 +1780,6 @@ EOF
 		///////////////////////////////////////////////////////////////////////////////////////////
 
 		default: // Menu node rendering (templates)
-		$oP->add_header('X-Frame-Options: deny');
 		ApplicationMenu::LoadAdditionalMenus();
 		$oMenuNode = ApplicationMenu::GetMenuNode(ApplicationMenu::GetMenuIndexById(ApplicationMenu::GetActiveNodeId()));
 		if (is_object($oMenuNode))

pages/UniversalSearch.php

@@ -38,7 +38,6 @@ ApplicationMenu::CheckMenuIdEnabled('UniversalSearchMenu');
 $oAppContext = new ApplicationContext();
 
 $oP = new iTopWebPage(Dict::S('UI:UniversalSearchTitle'));
-$oP->add_header('X-Frame-Options: deny');
 $oP->add_linked_script("../js/json.js");
 $oP->add_linked_script("../js/forms-json-utils.js");
 $oP->add_linked_script("../js/wizardhelper.js");

pages/notifications.php

@@ -37,7 +37,6 @@ ApplicationMenu::CheckMenuIdEnabled("NotificationsMenu");
 // Main program
 //
 $oP = new iTopWebPage(Dict::S('Menu:NotificationsMenu+'));
-$oP->add_header('X-Frame-Options: deny');
 
 $oP->add('<div class="page_header" style="padding:0.5em;">');
 $oP->add('<h1>'.dict::S('UI:NotificationsMenu:Title').'</h1>');

pages/run_query.php

@@ -100,7 +100,6 @@ $oAppContext = new ApplicationContext();
 
 $oP = new iTopWebPage(Dict::S('UI:RunQuery:Title'));
 $oP->SetBreadCrumbEntry('ui-tool-runquery', Dict::S('Menu:RunQueriesMenu'), Dict::S('Menu:RunQueriesMenu+'), '', utils::GetAbsoluteUrlAppRoot().'images/wrench.png');
-$oP->add_header('X-Frame-Options: deny');
 
 // Main program
 $sExpression = utils::ReadParam('expression', '', false, 'raw_data');

pages/schema.php

@@ -1074,7 +1074,6 @@ $operation = utils::ReadParam('operation', '');
 
 $oPage = new iTopWebPage(Dict::S('UI:Schema:Title'));
 $oPage->no_cache();
-$oPage->add_header('X-Frame-Options: deny');
 
 $oPage->SetBreadCrumbEntry('ui-tool-datamodel', Dict::S('Menu:DataModelMenu'), Dict::S('Menu:DataModelMenu+'), '', utils::GetAbsoluteUrlAppRoot().'images/wrench.png');
 $oPage->add_script(

webservices/export-v2.php

@@ -352,7 +352,6 @@ function InteractiveShell($sExpression, $sQueryId, $sFormat, $sFileName, $sMode)
 	if ($sMode == 'dialog')
 	{
 		$oP = new ajax_page('');
-		$oP->add_header('X-Frame-Options: deny');
 		$oP->add('<div id="interactive_export_dlg">');
 		$sExportBtnLabel = json_encode(Dict::S('UI:Button:Export'));
 		$sJSTitle = json_encode(htmlentities(utils::ReadParam('dialog_title', '', false, 'raw_data'), ENT_QUOTES, 'UTF-8'));
@@ -378,7 +377,6 @@ EOF
 	else
 	{
 		$oP = new iTopWebPage('iTop Export');
-		$oP->add_header('X-Frame-Options: deny');
 		$oP->SetBreadCrumbEntry('ui-tool-export', Dict::S('Menu:ExportMenu'), Dict::S('Menu:ExportMenu+'), '', utils::GetAbsoluteUrlAppRoot().'images/wrench.png');
 	}
 	
@@ -753,7 +751,6 @@ try
 		else
 		{
 			$oP = new ajax_page('iTop export');
-			$oP->add_header('X-Frame-Options: deny');
 			$oP->SetContentType($oExporter->GetMimeType());
 		}
 		DoExport($oP, $oExporter, false);
@@ -763,7 +760,6 @@ try
 catch (BulkExportMissingParameterException $e)
 {
 	$oP = new ajax_page('iTop Export');
-	$oP->add_header('X-Frame-Options: deny');
 	$oP->add($e->getMessage());
 	Usage($oP);
 	$oP->output();