Changeset 3453:0dab0a0d4621

Timestamp:

12/13/16 14:09:04 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Do not store repeated violation in CSP report data, addresses #1867

File:

• admin/csp_report.php (modified) (3 diffs)

admin/csp_report.php

@@ -10 +10 @@
 require dirname(__FILE__).'/../inc/admin/prepend.php';
 
-// Specify log file
-define('LOGFILE',path::real(DC_VAR).'/csp/csp_report.json');
+// Specify admin CSP log file if necessary
+if (!defined('LOGFILE')) {
+     define('LOGFILE',path::real(DC_VAR).'/csp/csp_report.json');
+}
 
 // Get the raw POST data
@@ -18 +20 @@
 // Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
 // empty string, i.e. if it could be a CSP violation report.
-if ($data = json_decode($data, true)) {
+if ($data = json_decode($data,true)) {
 
      // get source-file and blocked-URI to perform some tests
-     $source_file   = $data['csp-report']['source-file'];
-     $blocked_uri   = $data['csp-report']['blocked-uri'];
+     $source_file = $data['csp-report']['source-file'];
+     $blocked_uri = $data['csp-report']['blocked-uri'];
 
      if (
+          // avoid false positives notifications coming from Chrome extensions (Wappalyzer, MuteTab, etc.)
+          // bug here https://code.google.com/p/chromium/issues/detail?id=524356
+          strpos($source_file, 'chrome-extension://') === false
 
-     // avoid false positives notifications coming from Chrome extensions (Wappalyzer, MuteTab, etc.)
-     // bug here https://code.google.com/p/chromium/issues/detail?id=524356
-     strpos($source_file, 'chrome-extension://') === false
-
-     // avoid false positives notifications coming from Safari extensions (diigo, evernote, etc.)
-     && strpos($source_file, 'safari-extension://') === false
+          // avoid false positives notifications coming from Safari extensions (diigo, evernote, etc.)
+          && strpos($source_file, 'safari-extension://') === false
           && strpos($blocked_uri, 'safari-extension://') === false
 
-     // search engine extensions ?
-     && strpos($source_file, 'se-extension://') === false
+          // search engine extensions ?
+          && strpos($source_file, 'se-extension://') === false
 
-     // added by browsers in webviews
-     && strpos($blocked_uri, 'webviewprogressproxy://') === false
+          // added by browsers in webviews
+          && strpos($blocked_uri, 'webviewprogressproxy://') === false
 
           // Google Search App see for details https://github.com/nico3333fr/CSP-useful/commit/ecc8f9b0b379ae643bc754d2db33c8b47e185fd1
@@ -44 +45 @@
 
      ) {
-               // Prettify the JSON-formatted data
-               $data = json_encode(
-                         $data,
-                         JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES
-                         );
+          // Prepare report data (hash => info)
+          $hash = hash('md5',
+               $data['csp-report']['blocked-uri'].
+               $data['csp-report']['document-uri'].
+               $data['csp-report']['source-file'].
+               $data['csp-report']['line-number'].
+               $data['csp-report']['violated-directive']);
 
-               try {
-                    // Check report dir (create it if necessary)
-                    files::makeDir(dirname(LOGFILE),true);
+          try {
+               // Check report dir (create it if necessary)
+               files::makeDir(dirname(LOGFILE),true);
 
-                    if (!($fp = @fopen(LOGFILE,'a'))) {
-                         return;
+               // Check if report is not already stored in log file
+               $contents = '';
+               if (file_exists(LOGFILE)) {
+                    $contents = file_get_contents(LOGFILE);
+                    if ($contents && $contents != '') {
+                         if (substr($contents,-1) == ',') {
+                              // Remove final comma if present
+                              $contents = substr($contents,0,-1);
+                         }
+                         if ($contents != '') {
+                              $list = json_decode('['.$contents.']',true);
+                              if (is_array($list)) {
+                                   foreach ($list as $idx => $value) {
+                                        if (isset($value['hash']) && $value['hash'] == $hash) {
+                                             // Already stored, ignore
+                                             return;
+                                        }
+                                   }
+                              }
+                         }
                     }
-                    // Add an ending comma to JSon encoding data
-                    // The file content should be enclosed in brackets [] before beeing decoded
-                    fprintf($fp,'%s,',$data);
-               }  catch (Exception $e) {
+               }
+
+               // Add report to the file
+               if (!($fp = @fopen(LOGFILE,'a'))) {
+                    // Unable to open file, ignore
                     return;
                }
+
+               // Prettify the JSON-formatted data
+               $violation = array_merge(array('hash' => $hash),$data['csp-report']);
+               $output = json_encode($violation,JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
+
+               // The file content will have to be enclosed in brackets [] before
+               // beeing decoded with json_decoded(<content>,true);
+               fprintf($fp,($contents != '' ? ',' : '').'%s',$output);
+
+          }  catch (Exception $e) {
+               return;
           }
+     }
 }