loleaflet/dist/loleaflet.html | 2 +-
net/Socket.cpp | 5 ++++-
net/Socket.hpp | 5 ++---
wsd/FileServer.cpp | 14 ++++++++++----
wsd/LOOLWSD.cpp | 8 ++------
5 files changed, 19 insertions(+), 15 deletions(-)
New commits:
commit 1ca873d57e6c832626fa3fa0da7ea2d301df70ee
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Sun Apr 9 22:56:37 2017 +0530
security: X-XSS-Protection header
Change-Id: I050cba3ad8aeedaefa773d78254a3a37a7ddef30
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index da2c596f..07c9857b 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -140,6 +140,9 @@ void FileServerRequestHandler::handleRequest(const
HTTPRequest& request, Poco::M
if (!FileServerRequestHandler::tryAdminLogin(request,
response))
throw Poco::Net::NotAuthenticatedException("Invalid admin
login");
+
+ // Ask UAs to block if they detect any XSS attempt
+ response.add("X-XSS-Protection", "1; mode=block");
}
const std::string fileType = filePath.getExtension();
@@ -332,7 +335,8 @@ void
FileServerRequestHandler::preprocessAndSendLoleafletHtml(const HTTPRequest&
<< "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n"
<< "Content-Length: " << preprocess.size() << "\r\n"
<< "Content-Type: " << mimeType << "\r\n"
- << "X-Content-Type-Options: nosniff\r\n";
+ << "X-Content-Type-Options: nosniff\r\n"
+ << "X-XSS-Protection: 1; mode=block\r\n";
if (!wopiDomain.empty())
{
commit 61b7112aa7dfad0898ed4654e889465029776562
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Sun Apr 9 21:18:05 2017 +0530
security: X-Content-Type-Options: nosniff
Don't think it is necessary/useful to have this header at other places.
This is the most important and perhaps the only where presence of this
header is required and seems sensible to prevent potential attacks.
Change-Id: Iad318e4b83264ac83620b86a40a49e7384e4015e
diff --git a/net/Socket.cpp b/net/Socket.cpp
index e4d2df4e..b38dd3fe 100644
--- a/net/Socket.cpp
+++ b/net/Socket.cpp
@@ -187,7 +187,7 @@ void SocketPoll::dumpState(std::ostream& os)
namespace HttpHelper
{
- void sendFile(const std::shared_ptr<StreamSocket>& socket, const
std::string& path,
+ void sendFile(const std::shared_ptr<StreamSocket>& socket, const
std::string& path, const std::string& mediaType,
Poco::Net::HTTPResponse& response, bool noCache, bool
deflate)
{
struct stat st;
@@ -207,6 +207,9 @@ namespace HttpHelper
response.set("ETag", "\"" LOOLWSD_VERSION_HASH "\"");
}
+ response.setContentType(mediaType);
+ response.add("X-Content-Type-Options", "nosniff");
+
int bufferSize = std::min(st.st_size,
(off_t)Socket::MaximumSendBufferSize);
if (st.st_size >= socket->getSendBufferSize())
{
diff --git a/net/Socket.hpp b/net/Socket.hpp
index 33dbbe5e..754c4d12 100644
--- a/net/Socket.hpp
+++ b/net/Socket.hpp
@@ -902,15 +902,14 @@ protected:
namespace HttpHelper
{
- void sendFile(const std::shared_ptr<StreamSocket>& socket, const
std::string& path,
+ void sendFile(const std::shared_ptr<StreamSocket>& socket, const
std::string& path, const std::string& mediaType,
Poco::Net::HTTPResponse& response, bool noCache = false,
bool deflate = false);
inline void sendFile(const std::shared_ptr<StreamSocket>& socket, const
std::string& path,
const std::string& mediaType, bool noCache = false,
bool deflate = false)
{
Poco::Net::HTTPResponse response;
- response.setContentType(mediaType);
- sendFile(socket, path, response, noCache, deflate);
+ sendFile(socket, path, mediaType, response, noCache, deflate);
}
};
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index fd5fb0c1..da2c596f 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -180,9 +180,8 @@ void FileServerRequestHandler::handleRequest(const
HTTPRequest& request, Poco::M
}
}
- response.setContentType(mimeType);
bool deflate = request.hasToken("Accept-Encoding", "deflate");
- HttpHelper::sendFile(socket, filePath.toString(), response,
noCache, deflate);
+ HttpHelper::sendFile(socket, filePath.toString(), mimeType,
response, noCache, deflate);
}
}
catch (const Poco::Net::NotAuthenticatedException& exc)
@@ -332,7 +331,8 @@ void
FileServerRequestHandler::preprocessAndSendLoleafletHtml(const HTTPRequest&
<< "Cache-Control:max-age=11059200\r\n"
<< "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n"
<< "Content-Length: " << preprocess.size() << "\r\n"
- << "Content-Type: " << mimeType << "\r\n";
+ << "Content-Type: " << mimeType << "\r\n"
+ << "X-Content-Type-Options: nosniff\r\n";
if (!wopiDomain.empty())
{
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 715bf3d9..2672a23a 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -1763,6 +1763,7 @@ private:
<< "User-Agent: LOOLWSD WOPI Agent\r\n"
<< "Content-Length: " << xml.size() << "\r\n"
<< "Content-Type: " << mediaType << "\r\n"
+ << "X-Content-Type-Options: nosniff\r\n"
<< "\r\n"
<< xml;
@@ -1983,8 +1984,7 @@ private:
try
{
- response.setContentType(contentType);
- HttpHelper::sendFile(socket, filePath.toString(),
response);
+ HttpHelper::sendFile(socket, filePath.toString(),
contentType, response);
responded = true;
}
catch (const Exception& exc)
commit 49bd32c6300d662d6cbc7feb278a2d8b3fb82b88
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Sun Apr 9 17:37:11 2017 +0530
security: CORS: No need for this header
No idea why it was here in the first place, but download requests are
only made from frames with same origin, so there should be no need to
specify such headers which allow anyone (with other origins) to make
download requests to us.
Change-Id: I314a7ad4c6df8664b1d191cb88ae42c4248ff517
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 5e6d9786..715bf3d9 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -1975,7 +1975,6 @@ private:
if (filePath.isAbsolute() && File(filePath).exists())
{
std::string contentType = getContentType(fileName);
- response.set("Access-Control-Allow-Origin", "*");
if (Poco::Path(fileName).getExtension() == "pdf")
{
contentType = "application/pdf";
commit 63631dff24a507de68b8b038cd15f7c34ad52ea5
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Sun Apr 9 17:23:50 2017 +0530
security: CSP: add frame-src 'self'
We need to be able to create iframes sometimes with same origin as ours,
eg: when loading the 'loading' page during slideshow or downloading the
file (in different formats). The 'blob:' is only used for printing
purposes.
Change-Id: I93666ee45e707997969e151af5142efeeca0d177
diff --git a/loleaflet/dist/loleaflet.html b/loleaflet/dist/loleaflet.html
index 05a49e07..8b3f794c 100644
--- a/loleaflet/dist/loleaflet.html
+++ b/loleaflet/dist/loleaflet.html
@@ -4,7 +4,7 @@
<title>Online Editor</title>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'none';
- frame-src blob:;
+ frame-src 'self' blob:;
connect-src 'self' %HOST%;
script-src 'self'
'unsafe-inline';
style-src 'self'
'unsafe-inline';
commit 32dde923f7eb307bfed9c59477f3a812c61129b8
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Fri Apr 7 15:30:23 2017 +0530
security: CORS: No need to allow requests from anywhere
insertfile post requests should be made only from our origin.
Mentioning a '*' against allow-access-allow-origin allows other origins
to be able to make requests to insertfile too provided the attacker
knows the doc key which is not very hard to guess/get.
Change-Id: If98351df48935cfcdc18d6879167c0ac6089796c
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 1fca253b..5e6d9786 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -1896,9 +1896,6 @@ private:
else if (tokens.count() >= 4 && tokens[3] == "insertfile")
{
LOG_INF("Insert file request.");
- response.set("Access-Control-Allow-Origin", "*");
- response.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
- response.set("Access-Control-Allow-Headers", "Origin,
X-Requested-With, Content-Type, Accept");
std::string tmpPath;
ConvertToPartHandler handler(tmpPath);
commit df8ac5f33e68011fa83d5afb90733f9071889a72
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Fri Apr 7 15:08:38 2017 +0530
wsd: Only set these headers if its WOPI
Change-Id: I1ccedc9828a724b55f8642aaa2b934c37f49a4dd
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 70abae4a..fd5fb0c1 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -332,11 +332,13 @@ void
FileServerRequestHandler::preprocessAndSendLoleafletHtml(const HTTPRequest&
<< "Cache-Control:max-age=11059200\r\n"
<< "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n"
<< "Content-Length: " << preprocess.size() << "\r\n"
- << "Content-Type: " << mimeType << "\r\n"
- << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
+ << "Content-Type: " << mimeType << "\r\n";
if (!wopiDomain.empty())
- oss << "Content-Security-Policy: frame-ancestors " << wopiDomain <<
"\r\n";
+ {
+ oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n"
+ << "Content-Security-Policy: frame-ancestors " << wopiDomain <<
"\r\n";
+ }
oss << "\r\n"
<< preprocess;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
