secure logo uploading, avoid frame-inclusion, adjustments to SECURITY.md and minor changes in UI for domain import and darkmode

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2022-12-02 09:24:08 +01:00
parent 40997762a4
commit 63f6d221cd
7 changed files with 74 additions and 18 deletions
--- a/lib/Froxlor/Settings/Store.php
+++ b/lib/Froxlor/Settings/Store.php
@@ -415,13 +415,18 @@ class Store
 				}

 				// Make sure mime-type matches an image
-				if (!in_array(mime_content_type($_FILES[$fieldname]['tmp_name']), [
-					'image/jpeg',
-					'image/jpg',
-					'image/png',
-					'image/gif'
-				])) {
-					throw new Exception("Uploaded file not a valid image");
+				if (function_exists('finfo_open')) {
+					$finfo = finfo_open(FILEINFO_MIME_TYPE);
+					$mimetype = finfo_file($finfo, $_FILES[$fieldname]['tmp_name']);
+					finfo_close($finfo);
+				} else {
+					$mimetype = mime_content_type($_FILES[$fieldname]['tmp_name']);
+				}
+				if (empty($mimetype)) {
+					$mimetype = 'application/octet-stream';
+				}
+				if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
+					throw new \Exception("Uploaded file is not a valid image");
 				}

 				// Determine file extension
@@ -429,6 +434,15 @@ class Store
 				$file_extension = strtolower(array_pop($spl));
 				unset($spl);

+				if (!in_array($file_extension, [
+					'jpeg',
+					'jpg',
+					'png',
+					'gif'
+				])) {
+					throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
+				}
+
 				// Move file
 				if (!move_uploaded_file($_FILES[$fieldname]['tmp_name'], $path . $fielddata['image_name'] . '.' . $file_extension)) {
 					throw new Exception("Unable to save image to img folder");
--- a/lib/Froxlor/UI/Panel/UI.php
+++ b/lib/Froxlor/UI/Panel/UI.php
@@ -114,7 +114,7 @@ class UI
 		// Inline-JS is no longer allowed and used
 		// See: http://people.mozilla.org/~bsterne/content-security-policy/index.html
 		// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy
-		$csp_content = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';";
+		$csp_content = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'self'; frame-src 'self'; frame-ancestors 'self';";
 		header("Content-Security-Policy: " . $csp_content);
 		header("X-Content-Security-Policy: " . $csp_content);
 		header("X-WebKit-CSP: " . $csp_content);
--- a/lib/formfields/admin/domains/formfield.domains_import.php
+++ b/lib/formfields/admin/domains/formfield.domains_import.php
@@ -55,6 +55,11 @@ return [
 					]
 				]
 			]
+		],
+		'buttons' => [
+			[
+				'label' => lng('domains.domain_import')
+			]
 		]
 	]
 ];