From f5f7bc449a6a8b27c546f917b7e295781a1cf2d0 Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Tue, 4 Nov 2014 13:01:42 +0100 Subject: [PATCH] use recent Content-Security-Policy values and header for all browser, secure script/query-string to redirect to after login if given Signed-off-by: Michael Kaufmann (d00p) --- index.php | 6 +++++- lib/init.php | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/index.php b/index.php index cad928d6..29b8686b 100644 --- a/index.php +++ b/index.php @@ -280,10 +280,14 @@ if ($action == 'login') { $lastscript = ""; if (isset($_REQUEST['script']) && $_REQUEST['script'] != "") { $lastscript = $_REQUEST['script']; + + if (!file_exists(__DIR__."/".$lastscript)) { + $lastscript = ""; + } } $lastqrystr = ""; if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") { - $lastqrystr = $_REQUEST['qrystr']; + $lastqrystr = strip_tags($_REQUEST['qrystr']); } eval("echo \"" . getTemplate('login') . "\";"); diff --git a/lib/init.php b/lib/init.php index 61157c59..bee4fb3a 100644 --- a/lib/init.php +++ b/lib/init.php @@ -28,19 +28,25 @@ header('Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time())); // Prevent inline - JS to be executed (i.e. XSS) in browsers which support this, // Inline-JS is no longer allowed and used // See: http://people.mozilla.org/~bsterne/content-security-policy/index.html -header("X-Content-Security-Policy: allow 'self'; frame-ancestors 'none'"); +// New stuff see: https://www.owasp.org/index.php/List_of_useful_HTTP_headers and https://www.owasp.org/index.php/Content_Security_Policy +$csp_content = "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; reflected-xss block;"; +header("Content-Security-Policy: ".$csp_content); +header("X-Content-Security-Policy: ".$csp_content); +header("X-WebKit-CSP: ".$csp_content); + +header("X-XSS-Protection: 1; mode=block"); // Don't allow to load Froxlor in an iframe to prevent i.e. clickjacking -header('X-Frame-Options: DENY'); +header("X-Frame-Options: DENY"); // If Froxlor was called via HTTPS -> enforce it for the next time if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) { - header('Strict-Transport-Security: max-age=500'); + header("Strict-Transport-Security: max-age=500"); } // Internet Explorer shall not guess the Content-Type, see: // http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx -header('X-Content-Type-Options: nosniff' ); +header("X-Content-Type-Options: nosniff"); // ensure that default timezone is set if (function_exists("date_default_timezone_set") && function_exists("date_default_timezone_get")) {