From 9865bf0779abf2303de74b2c39117374e8983f42 Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Thu, 14 Dec 2023 10:04:08 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B04368=20add=20sending=20X-Content-Type-Op?=
 =?UTF-8?q?tions=20HTTP=20header=20Replace=20in=20consumers=20the=20\WebPa?=
 =?UTF-8?q?ge::add=5Fxframe=5Foptions=20call=20by=20\WebPage::add=5Fhttp?=
 =?UTF-8?q?=5Fheaders?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/ajaxwebpage.class.inc.php         |  2 +-
 application/csvpage.class.inc.php             |  2 +-
 application/itopwebpage.class.inc.php         |  2 +-
 application/loginwebpage.class.inc.php        |  2 +-
 application/webpage.class.inc.php             | 24 +++++++++++++++++++
 application/xmlpage.class.inc.php             |  2 +-
 .../hubconnectorpage.class.inc.php            |  2 +-
 pages/ajax.document.php                       |  6 ++---
 pages/ajax.render.php                         |  2 +-
 setup/email.test.php                          |  2 +-
 .../TwigBase/Controller/Controller.php        |  2 +-
 .../php-unit-tests/legacy-tests/benchmark.php |  2 +-
 webservices/export-v2.php                     | 10 ++++----
 13 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/application/ajaxwebpage.class.inc.php b/application/ajaxwebpage.class.inc.php
index 2c9a61b1f..ae4dd44d4 100644
--- a/application/ajaxwebpage.class.inc.php
+++ b/application/ajaxwebpage.class.inc.php
@@ -42,7 +42,7 @@ class ajax_page extends WebPage implements iTabbedPage
 		$this->m_sReadyScript = "";
 		//$this->add_header("Content-type: text/html; charset=utf-8");
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->m_oTabs = new TabManager();
 		$this->sContentType = 'text/html';
 		$this->sContentDisposition = 'inline';
diff --git a/application/csvpage.class.inc.php b/application/csvpage.class.inc.php
index 78ddce6ad..a2a2e64b6 100644
--- a/application/csvpage.class.inc.php
+++ b/application/csvpage.class.inc.php
@@ -33,7 +33,7 @@ class CSVPage extends WebPage
 		parent::__construct($s_title);
 		$this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		//$this->add_header("Content-Transfer-Encoding: binary");
 	}
 
diff --git a/application/itopwebpage.class.inc.php b/application/itopwebpage.class.inc.php
index 02024b345..e750d3fcc 100644
--- a/application/itopwebpage.class.inc.php
+++ b/application/itopwebpage.class.inc.php
@@ -71,7 +71,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 		$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
 		$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_linked_stylesheet("../css/jquery.treeview.css");
 		$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
 		$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");
diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php
index 490ced28a..74cbeece8 100644
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -85,7 +85,7 @@ class LoginWebPage extends NiceWebPage
 		parent::__construct($sTitle);
 		$this->SetStyleSheet();
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 	}
 	
 	public function SetStyleSheet()
diff --git a/application/webpage.class.inc.php b/application/webpage.class.inc.php
index cb31689e0..4af74c889 100644
--- a/application/webpage.class.inc.php
+++ b/application/webpage.class.inc.php
@@ -482,12 +482,25 @@ class WebPage implements Page
 		$this->a_headers[] = $s_header;
 	}
 
+	/**
+	 * @param string|null $sXFrameOptionsHeaderValue passed to {@see add_xframe_options}
+	 *
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation, replace {@see add_xframe_options} consumers call
+	 */
+	public function add_http_headers($sXFrameOptionsHeaderValue = null)
+	{
+		$this->add_xframe_options($sXFrameOptionsHeaderValue);
+		$this->add_xcontent_type_options();
+	}
+
 	/**
 	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
 	 *
 	 * @since 2.7.3 3.0.0 N°3416
 	 * @uses security_header_xframe config parameter
 	 * @uses \utils::GetConfig()
+	 *
 	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 	 */
 	public function add_xframe_options($sHeaderValue = null)
@@ -499,6 +512,17 @@ class WebPage implements Page
 		$this->add_header('X-Frame-Options: '.$sHeaderValue);
 	}
 
+	/**
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+	 */
+	public function add_xcontent_type_options()
+	{
+		$this->add_header('X-Content-Type-Options: nosniff');
+	}
+
 	/**
 	 * Add needed headers to the page so that it will no be cached
 	 */
diff --git a/application/xmlpage.class.inc.php b/application/xmlpage.class.inc.php
index ce98884a1..fee79a4ea 100644
--- a/application/xmlpage.class.inc.php
+++ b/application/xmlpage.class.inc.php
@@ -44,7 +44,7 @@ class XMLPage extends WebPage
 		$this->m_bHeaderSent = false;
 		$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_header("Content-location: export.xml");
 	}
 
diff --git a/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php b/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php
index 1ee703e02..52712c7f8 100644
--- a/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php
+++ b/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php
@@ -7,7 +7,7 @@ class HubConnectorPage extends NiceWebPage
 	    parent::__construct($sTitle);
 
 	    $this->no_cache();
-	    $this->add_xframe_options();
+	    $this->add_http_headers();
 
 	    $sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';
 	    $sModuleImagesDir = utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/images';
diff --git a/pages/ajax.document.php b/pages/ajax.document.php
index c1bb4c667..26c2b35f2 100644
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -67,7 +67,7 @@ try
 
 					// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 					// so we're resetting its value ! (see N°3416)
-					$oPage->add_xframe_options('');
+					$oPage->add_http_headers('');
 
 					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
 				}
@@ -88,7 +88,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
@@ -103,7 +103,7 @@ try
 
 			// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 			// so we're resetting its value ! (see N°3416)
-			$oPage->add_xframe_options('');
+			$oPage->add_http_headers('');
 
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index 2d63f1acf..748bea799 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -1036,7 +1036,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				// N°4129 - Prevent XSS attacks & other script executions
 				if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
diff --git a/setup/email.test.php b/setup/email.test.php
index abe8a0ce2..0c36972b8 100644
--- a/setup/email.test.php
+++ b/setup/email.test.php
@@ -38,7 +38,7 @@ $oP = new SetupPage('iTop email test utility');
 
 // Although this page doesn't expose sensitive info, with it we can send multiple emails
 // So we're adding this http header to reduce CSRF exposure...
-$oP->add_xframe_options('DENY');
+$oP->add_http_headers('DENY');
 
 
 /**
diff --git a/sources/application/TwigBase/Controller/Controller.php b/sources/application/TwigBase/Controller/Controller.php
index e8618699d..d7d76ff9f 100644
--- a/sources/application/TwigBase/Controller/Controller.php
+++ b/sources/application/TwigBase/Controller/Controller.php
@@ -576,7 +576,7 @@ abstract class Controller
 		{
 			case 'html':
 				$this->m_oPage = new iTopWebPage($this->GetOperationTitle());
-				$this->m_oPage->add_xframe_options();
+				$this->m_oPage->add_http_headers();
 
 				if ($this->m_bIsBreadCrumbEnabled) {
 					if (count($this->m_aBreadCrumbEntry) > 0) {
diff --git a/tests/php-unit-tests/legacy-tests/benchmark.php b/tests/php-unit-tests/legacy-tests/benchmark.php
index 26f5dbb70..18fe2de33 100644
--- a/tests/php-unit-tests/legacy-tests/benchmark.php
+++ b/tests/php-unit-tests/legacy-tests/benchmark.php
@@ -782,7 +782,7 @@ try
 
 		case 'create_structure':
 			$oP->no_cache();
-			$oP->add_xframe_options('DENY');
+			$oP->add_http_headers('DENY');
 			$iPlannedContacts = Utils::ReadParam('plannedcontacts');
 			$iPlannedContracts = Utils::ReadParam('plannedcontracts');
 
diff --git a/webservices/export-v2.php b/webservices/export-v2.php
index 97fce9861..fdd588dd1 100644
--- a/webservices/export-v2.php
+++ b/webservices/export-v2.php
@@ -44,7 +44,7 @@ function ReportErrorAndExit($sErrorMessage)
 	else
 	{
 		$oP = new WebPage("iTop - Export");
-		$oP->add_xframe_options();
+		$oP->add_http_headers();
 		$oP->p('ERROR: '.$sErrorMessage);
 		$oP->output();
 		exit(-1);
@@ -63,7 +63,7 @@ function ReportErrorAndUsage($sErrorMessage)
 	}
 	else {
 		$oP = new WebPage("iTop - Export");
-		$oP->add_xframe_options();
+		$oP->add_http_headers();
 		$oP->p('ERROR: '.$sErrorMessage);
 		Usage($oP);
 		$oP->output();
@@ -729,14 +729,14 @@ try
 			// Note: Using NiceWebPage only for HTML export as it includes JS scripts & files, which makes no sense in other export formats. More over, it breaks Excel spreadsheet import.
 			if($oExporter instanceof HTMLBulkExport) {
 				$oP = new NiceWebPage('iTop export');
-				$oP->add_xframe_options();
+				$oP->add_http_headers();
 				$oP->add_ready_script("$('table.listResults').tablesorter({widgets: ['MyZebra']});");
 				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
 				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
 			}
 			else {
 				$oP = new WebPage('iTop export');
-				$oP->add_xframe_options();
+				$oP->add_http_headers();
 				$oP->add_style("table br { mso-data-placement:same-cell; }"); // Trick for Excel: keep line breaks inside the same cell !
 			}
 			$oP->add_style("body { overflow: auto; }");
@@ -759,7 +759,7 @@ catch (BulkExportMissingParameterException $e)
 }
 catch (Exception $e) {
 	$oP = new WebPage('iTop Export');
-	$oP->add_xframe_options();
+	$oP->add_http_headers();
 	$oP->add('Error: '.utils::HtmlEntities($e->getMessage()));
 	IssueLog::Error(utils::HtmlEntities($e->getMessage())."\n".$e->getTraceAsString());
 	$oP->output();