loleaflet/dist/loleaflet.html | 2 +- net/Socket.cpp | 5 ++++- net/Socket.hpp | 5 ++--- wsd/FileServer.cpp | 14 ++++++++++---- wsd/LOOLWSD.cpp | 8 ++------ 5 files changed, 19 insertions(+), 15 deletions(-)
New commits: commit 1ca873d57e6c832626fa3fa0da7ea2d301df70ee Author: Pranav Kant <pran...@collabora.co.uk> Date: Sun Apr 9 22:56:37 2017 +0530 security: X-XSS-Protection header Change-Id: I050cba3ad8aeedaefa773d78254a3a37a7ddef30 diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index da2c596f..07c9857b 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -140,6 +140,9 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M if (!FileServerRequestHandler::tryAdminLogin(request, response)) throw Poco::Net::NotAuthenticatedException("Invalid admin login"); + + // Ask UAs to block if they detect any XSS attempt + response.add("X-XSS-Protection", "1; mode=block"); } const std::string fileType = filePath.getExtension(); @@ -332,7 +335,8 @@ void FileServerRequestHandler::preprocessAndSendLoleafletHtml(const HTTPRequest& << "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n" << "Content-Length: " << preprocess.size() << "\r\n" << "Content-Type: " << mimeType << "\r\n" - << "X-Content-Type-Options: nosniff\r\n"; + << "X-Content-Type-Options: nosniff\r\n" + << "X-XSS-Protection: 1; mode=block\r\n"; if (!wopiDomain.empty()) { commit 61b7112aa7dfad0898ed4654e889465029776562 Author: Pranav Kant <pran...@collabora.co.uk> Date: Sun Apr 9 21:18:05 2017 +0530 security: X-Content-Type-Options: nosniff Don't think it is necessary/useful to have this header at other places. This is the most important and perhaps the only where presence of this header is required and seems sensible to prevent potential attacks. Change-Id: Iad318e4b83264ac83620b86a40a49e7384e4015e diff --git a/net/Socket.cpp b/net/Socket.cpp index e4d2df4e..b38dd3fe 100644 --- a/net/Socket.cpp +++ b/net/Socket.cpp @@ -187,7 +187,7 @@ void SocketPoll::dumpState(std::ostream& os) namespace HttpHelper { - void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, + void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, const std::string& mediaType, Poco::Net::HTTPResponse& response, bool noCache, bool deflate) { struct stat st; @@ -207,6 +207,9 @@ namespace HttpHelper response.set("ETag", "\"" LOOLWSD_VERSION_HASH "\""); } + response.setContentType(mediaType); + response.add("X-Content-Type-Options", "nosniff"); + int bufferSize = std::min(st.st_size, (off_t)Socket::MaximumSendBufferSize); if (st.st_size >= socket->getSendBufferSize()) { diff --git a/net/Socket.hpp b/net/Socket.hpp index 33dbbe5e..754c4d12 100644 --- a/net/Socket.hpp +++ b/net/Socket.hpp @@ -902,15 +902,14 @@ protected: namespace HttpHelper { - void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, + void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, const std::string& mediaType, Poco::Net::HTTPResponse& response, bool noCache = false, bool deflate = false); inline void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, const std::string& mediaType, bool noCache = false, bool deflate = false) { Poco::Net::HTTPResponse response; - response.setContentType(mediaType); - sendFile(socket, path, response, noCache, deflate); + sendFile(socket, path, mediaType, response, noCache, deflate); } }; diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index fd5fb0c1..da2c596f 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -180,9 +180,8 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M } } - response.setContentType(mimeType); bool deflate = request.hasToken("Accept-Encoding", "deflate"); - HttpHelper::sendFile(socket, filePath.toString(), response, noCache, deflate); + HttpHelper::sendFile(socket, filePath.toString(), mimeType, response, noCache, deflate); } } catch (const Poco::Net::NotAuthenticatedException& exc) @@ -332,7 +331,8 @@ void FileServerRequestHandler::preprocessAndSendLoleafletHtml(const HTTPRequest& << "Cache-Control:max-age=11059200\r\n" << "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n" << "Content-Length: " << preprocess.size() << "\r\n" - << "Content-Type: " << mimeType << "\r\n"; + << "Content-Type: " << mimeType << "\r\n" + << "X-Content-Type-Options: nosniff\r\n"; if (!wopiDomain.empty()) { diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 715bf3d9..2672a23a 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -1763,6 +1763,7 @@ private: << "User-Agent: LOOLWSD WOPI Agent\r\n" << "Content-Length: " << xml.size() << "\r\n" << "Content-Type: " << mediaType << "\r\n" + << "X-Content-Type-Options: nosniff\r\n" << "\r\n" << xml; @@ -1983,8 +1984,7 @@ private: try { - response.setContentType(contentType); - HttpHelper::sendFile(socket, filePath.toString(), response); + HttpHelper::sendFile(socket, filePath.toString(), contentType, response); responded = true; } catch (const Exception& exc) commit 49bd32c6300d662d6cbc7feb278a2d8b3fb82b88 Author: Pranav Kant <pran...@collabora.co.uk> Date: Sun Apr 9 17:37:11 2017 +0530 security: CORS: No need for this header No idea why it was here in the first place, but download requests are only made from frames with same origin, so there should be no need to specify such headers which allow anyone (with other origins) to make download requests to us. Change-Id: I314a7ad4c6df8664b1d191cb88ae42c4248ff517 diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 5e6d9786..715bf3d9 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -1975,7 +1975,6 @@ private: if (filePath.isAbsolute() && File(filePath).exists()) { std::string contentType = getContentType(fileName); - response.set("Access-Control-Allow-Origin", "*"); if (Poco::Path(fileName).getExtension() == "pdf") { contentType = "application/pdf"; commit 63631dff24a507de68b8b038cd15f7c34ad52ea5 Author: Pranav Kant <pran...@collabora.co.uk> Date: Sun Apr 9 17:23:50 2017 +0530 security: CSP: add frame-src 'self' We need to be able to create iframes sometimes with same origin as ours, eg: when loading the 'loading' page during slideshow or downloading the file (in different formats). The 'blob:' is only used for printing purposes. Change-Id: I93666ee45e707997969e151af5142efeeca0d177 diff --git a/loleaflet/dist/loleaflet.html b/loleaflet/dist/loleaflet.html index 05a49e07..8b3f794c 100644 --- a/loleaflet/dist/loleaflet.html +++ b/loleaflet/dist/loleaflet.html @@ -4,7 +4,7 @@ <title>Online Editor</title> <meta charset="utf-8"> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; - frame-src blob:; + frame-src 'self' blob:; connect-src 'self' %HOST%; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; commit 32dde923f7eb307bfed9c59477f3a812c61129b8 Author: Pranav Kant <pran...@collabora.co.uk> Date: Fri Apr 7 15:30:23 2017 +0530 security: CORS: No need to allow requests from anywhere insertfile post requests should be made only from our origin. Mentioning a '*' against allow-access-allow-origin allows other origins to be able to make requests to insertfile too provided the attacker knows the doc key which is not very hard to guess/get. Change-Id: If98351df48935cfcdc18d6879167c0ac6089796c diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 1fca253b..5e6d9786 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -1896,9 +1896,6 @@ private: else if (tokens.count() >= 4 && tokens[3] == "insertfile") { LOG_INF("Insert file request."); - response.set("Access-Control-Allow-Origin", "*"); - response.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS"); - response.set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); std::string tmpPath; ConvertToPartHandler handler(tmpPath); commit df8ac5f33e68011fa83d5afb90733f9071889a72 Author: Pranav Kant <pran...@collabora.co.uk> Date: Fri Apr 7 15:08:38 2017 +0530 wsd: Only set these headers if its WOPI Change-Id: I1ccedc9828a724b55f8642aaa2b934c37f49a4dd diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index 70abae4a..fd5fb0c1 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -332,11 +332,13 @@ void FileServerRequestHandler::preprocessAndSendLoleafletHtml(const HTTPRequest& << "Cache-Control:max-age=11059200\r\n" << "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n" << "Content-Length: " << preprocess.size() << "\r\n" - << "Content-Type: " << mimeType << "\r\n" - << "X-Frame-Options: allow-from " << wopiDomain << "\r\n"; + << "Content-Type: " << mimeType << "\r\n"; if (!wopiDomain.empty()) - oss << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n"; + { + oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n" + << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n"; + } oss << "\r\n" << preprocess; _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits