Changeset 3599:1bea61af9270

Timestamp:

11/11/17 16:23:50 (8 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

2.12

Message:

Add  http:// protocol before media.dotaddict.org for csp_admin_img, fixes #2257

Files:

• admin/install/index.php (modified) (1 diff)
• inc/admin/lib.dc.page.php (modified) (1 diff)
• inc/dbschema/upgrade.php (modified) (1 diff)

admin/install/index.php

@@ -186 +186 @@
                $csp_prefix."'self' 'unsafe-inline'".$csp_suffix,'string','CSP style-src directive',true,true);
           $blog_settings->system->put('csp_admin_img',
-               $csp_prefix."'self' data: media.dotaddict.org blob:",'string','CSP img-src directive',true,true);
+               $csp_prefix."'self' data: http://media.dotaddict.org blob:",'string','CSP img-src directive',true,true);
 
           # Add Dotclear version

inc/admin/lib.dc.page.php

@@ -119 +119 @@
                     $csp_prefix."'self' 'unsafe-inline'".$csp_suffix;
                $csp['img-src'] = $core->blog->settings->system->csp_admin_img ?:
-                    $csp_prefix."'self' data: media.dotaddict.org blob:";
+                    $csp_prefix."'self' data: http://media.dotaddict.org blob:";
 
                # Cope with blog post preview (via public URL in iframe)

inc/dbschema/upgrade.php

@@ -697 +697 @@
           }
 
+          if (version_compare($version,'2.12.2','<'))
+          {
+               // SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value
+               // so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives
+               $csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : '';   // Hack for SQlite Clearbricks driver
+
+               # Update CSP img-src default directive
+               $strReq = 'UPDATE '.$core->prefix.'setting '.
+                         " SET setting_value = '".$csp_prefix."''self'' data: http://media.dotaddict.org blob:' ".
+                         " WHERE setting_id = 'csp_admin_img' ".
+                         " AND setting_ns = 'system' ".
+                         " AND setting_value = '".$csp_prefix."''self'' data: media.dotaddict.org blob:' ";
+               $core->con->execute($strReq);
+          }
+
           $core->setVersion('core',DC_VERSION);
           $core->blogDefaults();