[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - 7 commits - loleaflet/dist net/Socket.cpp net/Socket.hpp wsd/FileServer.cpp wsd/LOOLWSD.cpp
Pranav Kant
pranavk at collabora.co.uk
Mon Apr 10 11:37:15 UTC 2017
loleaflet/dist/loleaflet.html | 2 +-
net/Socket.cpp | 5 ++++-
net/Socket.hpp | 5 ++---
wsd/FileServer.cpp | 16 +++++++++++++---
wsd/LOOLWSD.cpp | 8 ++------
5 files changed, 22 insertions(+), 14 deletions(-)
New commits:
commit 226d9452056e9124d908434a08545ccd0a2f15fb
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Sun Apr 9 23:53:45 2017 +0530
security: X-Frame-Options: Deny framing if no wopi host
Change-Id: I6936f8a11e3e076e111e0883305f47064e032983
(cherry picked from commit d867f50c363f68bb0104112752f41d8c060470dc)
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 754ab2a4..9f056903 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -349,8 +349,12 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
if (!wopiDomain.empty())
{
- oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n"
- << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n";
+ oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
+ oss << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n";
+ }
+ else
+ {
+ oss << "X-Frame-Options: deny\r\n";
}
oss << "\r\n"
commit 7d0cfcecba857a393fa1657f229abb69353b8d59
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Sun Apr 9 22:56:37 2017 +0530
security: X-XSS-Protection header
Change-Id: I050cba3ad8aeedaefa773d78254a3a37a7ddef30
(cherry picked from commit 1ca873d57e6c832626fa3fa0da7ea2d301df70ee)
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index bbbc40fe..754ab2a4 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -139,6 +139,9 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M
if (!FileServerRequestHandler::isAdminLoggedIn(request, response))
throw Poco::Net::NotAuthenticatedException("Invalid admin login");
+
+ // Ask UAs to block if they detect any XSS attempt
+ response.add("X-XSS-Protection", "1; mode=block");
}
const auto path = Poco::Path(LOOLWSD::FileServerRoot, getRequestPathname(request));
@@ -341,7 +344,8 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n"
<< "Content-Length: " << preprocess.size() << "\r\n"
<< "Content-Type: " << mimeType << "\r\n"
- << "X-Content-Type-Options: nosniff\r\n";
+ << "X-Content-Type-Options: nosniff\r\n"
+ << "X-XSS-Protection: 1; mode=block\r\n";
if (!wopiDomain.empty())
{
commit 51e4476b07c0e06417dc458fcf4ddaf72a26f1ae
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Sun Apr 9 21:18:05 2017 +0530
security: X-Content-Type-Options: nosniff
Don't think it is necessary/useful to have this header at other places.
This is the most important and perhaps the only where presence of this
header is required and seems sensible to prevent potential attacks.
Change-Id: Iad318e4b83264ac83620b86a40a49e7384e4015e
(cherry picked from commit 61b7112aa7dfad0898ed4654e889465029776562)
Conflicts:
wsd/FileServer.cpp
diff --git a/net/Socket.cpp b/net/Socket.cpp
index e4d2df4e..b38dd3fe 100644
--- a/net/Socket.cpp
+++ b/net/Socket.cpp
@@ -187,7 +187,7 @@ void SocketPoll::dumpState(std::ostream& os)
namespace HttpHelper
{
- void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path,
+ void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, const std::string& mediaType,
Poco::Net::HTTPResponse& response, bool noCache, bool deflate)
{
struct stat st;
@@ -207,6 +207,9 @@ namespace HttpHelper
response.set("ETag", "\"" LOOLWSD_VERSION_HASH "\"");
}
+ response.setContentType(mediaType);
+ response.add("X-Content-Type-Options", "nosniff");
+
int bufferSize = std::min(st.st_size, (off_t)Socket::MaximumSendBufferSize);
if (st.st_size >= socket->getSendBufferSize())
{
diff --git a/net/Socket.hpp b/net/Socket.hpp
index 3b44e803..e8e92277 100644
--- a/net/Socket.hpp
+++ b/net/Socket.hpp
@@ -900,15 +900,14 @@ protected:
namespace HttpHelper
{
- void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path,
+ void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path, const std::string& mediaType,
Poco::Net::HTTPResponse& response, bool noCache = false, bool deflate = false);
inline void sendFile(const std::shared_ptr<StreamSocket>& socket, const std::string& path,
const std::string& mediaType, bool noCache = false, bool deflate = false)
{
Poco::Net::HTTPResponse response;
- response.setContentType(mediaType);
- sendFile(socket, path, response, noCache, deflate);
+ sendFile(socket, path, mediaType, response, noCache, deflate);
}
};
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index d9d0c000..bbbc40fe 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -193,9 +193,8 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M
}
}
- response.setContentType(mimeType);
bool deflate = request.hasToken("Accept-Encoding", "deflate");
- HttpHelper::sendFile(socket, filepath, response, noCache, deflate);
+ HttpHelper::sendFile(socket, filepath, mimeType, response, noCache, deflate);
}
}
catch (const Poco::Net::NotAuthenticatedException& exc)
@@ -341,7 +340,8 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "Cache-Control:max-age=11059200\r\n"
<< "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n"
<< "Content-Length: " << preprocess.size() << "\r\n"
- << "Content-Type: " << mimeType << "\r\n";
+ << "Content-Type: " << mimeType << "\r\n"
+ << "X-Content-Type-Options: nosniff\r\n";
if (!wopiDomain.empty())
{
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 61ea3258..2d1c6779 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -1762,6 +1762,7 @@ private:
<< "User-Agent: LOOLWSD WOPI Agent\r\n"
<< "Content-Length: " << xml.size() << "\r\n"
<< "Content-Type: " << mediaType << "\r\n"
+ << "X-Content-Type-Options: nosniff\r\n"
<< "\r\n"
<< xml;
@@ -1982,8 +1983,7 @@ private:
try
{
- response.setContentType(contentType);
- HttpHelper::sendFile(socket, filePath.toString(), response);
+ HttpHelper::sendFile(socket, filePath.toString(), contentType, response);
responded = true;
}
catch (const Exception& exc)
commit 42ea8ecc18c5be041d870ca6ae9f22ae72647fd1
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Sun Apr 9 17:37:11 2017 +0530
security: CORS: No need for this header
No idea why it was here in the first place, but download requests are
only made from frames with same origin, so there should be no need to
specify such headers which allow anyone (with other origins) to make
download requests to us.
Change-Id: I314a7ad4c6df8664b1d191cb88ae42c4248ff517
(cherry picked from commit 49bd32c6300d662d6cbc7feb278a2d8b3fb82b88)
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index d95d9047..61ea3258 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -1974,7 +1974,6 @@ private:
if (filePath.isAbsolute() && File(filePath).exists())
{
std::string contentType = getContentType(fileName);
- response.set("Access-Control-Allow-Origin", "*");
if (Poco::Path(fileName).getExtension() == "pdf")
{
contentType = "application/pdf";
commit bd82ede6338c48a242287b303d47e980bfdd5774
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Sun Apr 9 17:23:50 2017 +0530
security: CSP: add frame-src 'self'
We need to be able to create iframes sometimes with same origin as ours,
eg: when loading the 'loading' page during slideshow or downloading the
file (in different formats). The 'blob:' is only used for printing
purposes.
Change-Id: I93666ee45e707997969e151af5142efeeca0d177
(cherry picked from commit 63631dff24a507de68b8b038cd15f7c34ad52ea5)
diff --git a/loleaflet/dist/loleaflet.html b/loleaflet/dist/loleaflet.html
index 05a49e07..8b3f794c 100644
--- a/loleaflet/dist/loleaflet.html
+++ b/loleaflet/dist/loleaflet.html
@@ -4,7 +4,7 @@
<title>Online Editor</title>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'none';
- frame-src blob:;
+ frame-src 'self' blob:;
connect-src 'self' %HOST%;
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
commit 24cf6334eec925eda03a991b27c4401f95323508
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Fri Apr 7 15:30:23 2017 +0530
security: CORS: No need to allow requests from anywhere
insertfile post requests should be made only from our origin.
Mentioning a '*' against allow-access-allow-origin allows other origins
to be able to make requests to insertfile too provided the attacker
knows the doc key which is not very hard to guess/get.
Change-Id: If98351df48935cfcdc18d6879167c0ac6089796c
(cherry picked from commit 32dde923f7eb307bfed9c59477f3a812c61129b8)
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 0fe28328..d95d9047 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -1895,9 +1895,6 @@ private:
else if (tokens.count() >= 4 && tokens[3] == "insertfile")
{
LOG_INF("Insert file request.");
- response.set("Access-Control-Allow-Origin", "*");
- response.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
- response.set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
std::string tmpPath;
ConvertToPartHandler handler(tmpPath);
commit c06c183901bf6b904c80981c0702a0f006004cdb
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Fri Apr 7 15:08:38 2017 +0530
wsd: Only set these headers if its WOPI
Change-Id: I1ccedc9828a724b55f8642aaa2b934c37f49a4dd
(cherry picked from commit df8ac5f33e68011fa83d5afb90733f9071889a72)
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 29be66f6..d9d0c000 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -341,11 +341,13 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "Cache-Control:max-age=11059200\r\n"
<< "ETag: \"" LOOLWSD_VERSION_HASH "\"\r\n"
<< "Content-Length: " << preprocess.size() << "\r\n"
- << "Content-Type: " << mimeType << "\r\n"
- << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
+ << "Content-Type: " << mimeType << "\r\n";
if (!wopiDomain.empty())
- oss << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n";
+ {
+ oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n"
+ << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n";
+ }
oss << "\r\n"
<< preprocess;
More information about the Libreoffice-commits
mailing list