source: admin/csp_report.php @ 3453:0dab0a0d4621

Visit:

Revision 3453:0dab0a0d4621, 3.1 KB checked in by franck <carnet.franck.paul@…>, 9 years ago (diff)
Do not store repeated violation in CSP report data, addresses #1867

Line
1	<?php
2	// From: https://github.com/nico3333fr/CSP-useful
3	//
4	// Note: this script requires PHP ≥ 5.4.
5	// Inspired from https://mathiasbynens.be/notes/csp-reports
6
7	// Dareboost wants it? Not a problem.
8	header('X-Content-Type-Options: "nosniff"');
9
10	require dirname(__FILE__).'/../inc/admin/prepend.php';
11
12	// Specify admin CSP log file if necessary
13	if (!defined('LOGFILE')) {
14	define('LOGFILE',path::real(DC_VAR).'/csp/csp_report.json');
15	}
16
17	// Get the raw POST data
18	$data = file_get_contents('php://input');
19
20	// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
21	// empty string, i.e. if it could be a CSP violation report.
22	if ($data = json_decode($data,true)) {
23
24	// get source-file and blocked-URI to perform some tests
25	$source_file = $data['csp-report']['source-file'];
26	$blocked_uri = $data['csp-report']['blocked-uri'];
27
28	if (
29	// avoid false positives notifications coming from Chrome extensions (Wappalyzer, MuteTab, etc.)
30	// bug here https://code.google.com/p/chromium/issues/detail?id=524356
31	strpos($source_file, 'chrome-extension://') === false
32
33	// avoid false positives notifications coming from Safari extensions (diigo, evernote, etc.)
34	&& strpos($source_file, 'safari-extension://') === false
35	&& strpos($blocked_uri, 'safari-extension://') === false
36
37	// search engine extensions ?
38	&& strpos($source_file, 'se-extension://') === false
39
40	// added by browsers in webviews
41	&& strpos($blocked_uri, 'webviewprogressproxy://') === false
42
43	// Google Search App see for details https://github.com/nico3333fr/CSP-useful/commit/ecc8f9b0b379ae643bc754d2db33c8b47e185fd1
44	&& strpos($blocked_uri, 'gsa://onpageload') === false
45
46	) {
47	// Prepare report data (hash => info)
48	$hash = hash('md5',
49	$data['csp-report']['blocked-uri'].
50	$data['csp-report']['document-uri'].
51	$data['csp-report']['source-file'].
52	$data['csp-report']['line-number'].
53	$data['csp-report']['violated-directive']);
54
55	try {
56	// Check report dir (create it if necessary)
57	files::makeDir(dirname(LOGFILE),true);
58
59	// Check if report is not already stored in log file
60	$contents = '';
61	if (file_exists(LOGFILE)) {
62	$contents = file_get_contents(LOGFILE);
63	if ($contents && $contents != '') {
64	if (substr($contents,-1) == ',') {
65	// Remove final comma if present
66	$contents = substr($contents,0,-1);
67	}
68	if ($contents != '') {
69	$list = json_decode('['.$contents.']',true);
70	if (is_array($list)) {
71	foreach ($list as $idx => $value) {
72	if (isset($value['hash']) && $value['hash'] == $hash) {
73	// Already stored, ignore
74	return;
75	}
76	}
77	}
78	}
79	}
80	}
81
82	// Add report to the file
83	if (!($fp = @fopen(LOGFILE,'a'))) {
84	// Unable to open file, ignore
85	return;
86	}
87
88	// Prettify the JSON-formatted data
89	$violation = array_merge(array('hash' => $hash),$data['csp-report']);
90	$output = json_encode($violation,JSON_PRETTY_PRINT \| JSON_UNESCAPED_SLASHES);
91
92	// The file content will have to be enclosed in brackets [] before
93	// beeing decoded with json_decoded(<content>,true);
94	fprintf($fp,($contents != '' ? ',' : '').'%s',$output);
95
96	} catch (Exception $e) {
97	return;
98	}
99	}
100	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: admin/csp_report.php @ 3453:0dab0a0d4621

Download in other formats:

Sites map