https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42080
--- Comment #5 from David Cook <[email protected]> --- (In reply to David Cook from comment #4) > That said, I think I'll need to think on this one a bit more. I love > Content-Security-Policy, but it won't be turned on out of the box, and it'll > be set globally so the same header will be sent for all pages sent by > Starman. (I am curious though about layering Content-Security-Policy > headers. Perhaps we can include the one you've provided PLUS the global one. > I'm going to look into that shortly.) Fortunately, it does appear to be possible to have multiple Content-Security-Policy headers. The browser will interpret both of them and if at least one of them fails it will block, so yeah this approach could work well in this case. That said, I think it would probably be better to undo bug 41591 and re-implement with solutions from this bug report. > Another thing is while Content-Security-Policy is great (seriously I truly > love it), it is only one layer of defence. Ideally it would be good to have > multiple. > > So I'm going to think a bit more about what we could do in terms of data > validation. It looks like we store the Content-Type header in misc_files.file_type. That and the file extension are both user-supplied fields though, which cannot inherently be trusted. I think a good first step would be magic number checking. There is a library available that can help with that. So I think your patch is a good starting place, Eric. I'm just going to build a bit on top of it. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
