composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-19 07:12:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°4129 - Security hardening

Browse Source
This commit is contained in:
Molkobain
2021-08-18 15:57:18 +02:00
parent 834ac00d37
commit 92a9a8c65f
3 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/config.class.inc.php
View File

@@ -1161,6 +1161,14 @@ class Config
'source_of_value' => '', 'source_of_value' => '',
'show_in_conf_sample' => false, 'show_in_conf_sample' => false,
), ),
'security.disable_inline_documents_sandbox' => array(
'type' => 'bool',
'description' => 'If true then the sandbox for documents displayed in a browser tab will be disabled; enabling scripts and other interactive content. Note that setting this to true will open the application to potential XSS attacks!',
'default' => false,
'value' => false,
'source_of_value' => '',
'show_in_conf_sample' => false,
),
); );
public function IsProperty($sPropCode) public function IsProperty($sPropCode)

5
datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
View File

@@ -1295,6 +1295,11 @@ class ObjectController extends AbstractController
$aHeaders['Content-Type'] = $oDocument->GetMimeType(); $aHeaders['Content-Type'] = $oDocument->GetMimeType();
$aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment') . ';filename="'.$oDocument->GetFileName().'"'; $aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment') . ';filename="'.$oDocument->GetFileName().'"';
// N°4129 - Prevent XSS attacks & other script executions
if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
$aHeaders['Content-Security-Policy'] = 'sandbox';
}
return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders); return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
} }

7
pages/ajax.render.php
View File

@@ -902,7 +902,12 @@ try
$sField = utils::ReadParam('field', ''); $sField = utils::ReadParam('field', '');
if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField)) if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField))
{ {
$oPage->add_header('X-Frame-Options:'); // resets header, see N°3416 // Resets header, see N°3416
$oPage->add_header('X-Frame-Options:');
// N°4129 - Prevent XSS attacks & other script executions
if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
$oPage->add_header('Content-Security-Policy: sandbox;');
}
ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'inline'); ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'inline');
} }
break; break;