Changeset 3432:4e82fa3c576d
- Timestamp:
- 12/02/16 11:54:52 (9 years ago)
- Branch:
- default
- Files:
-
- 3 edited
-
admin/install/index.php (modified) (1 diff)
-
inc/admin/lib.dc.page.php (modified) (1 diff)
-
inc/dbschema/upgrade.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
admin/install/index.php
r3421 r3432 171 171 172 172 # CSP directive (admin part) 173 174 // SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value 175 // so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives 176 $csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : ''; // Hack for SQlite Clearbricks driver 177 $csp_suffix = $core->con->driver() == 'sqlite' ? ' 127.0.0.1' : ''; // Hack for SQlite Clearbricks driver 178 173 179 $blog_settings->system->put('csp_admin_on',true,'boolean','Send CSP header (admin)',true,true); 174 180 $blog_settings->system->put('csp_admin_report_only',false,'boolean','CSP Report only violations (admin)',true,true); 175 $blog_settings->system->put('csp_admin_default',"'self'",'string','CSP default-src directive',true,true); 176 $blog_settings->system->put('csp_admin_script',"'self' 'unsafe-inline' 'unsafe-eval'",'string','CSP script-src directive',true,true); 177 $blog_settings->system->put('csp_admin_style',"'self' 'unsafe-inline'",'string','CSP style-src directive',true,true); 178 $blog_settings->system->put('csp_admin_img',"'self' data: media.dotaddict.org blob:",'string','CSP img-src directive',true,true); 181 $blog_settings->system->put('csp_admin_default', 182 $csp_prefix."'self'".$csp_suffix,'string','CSP default-src directive',true,true); 183 $blog_settings->system->put('csp_admin_script', 184 $csp_prefix."'self' 'unsafe-inline' 'unsafe-eval'".$csp_suffix,'string','CSP script-src directive',true,true); 185 $blog_settings->system->put('csp_admin_style', 186 $csp_prefix."'self' 'unsafe-inline'".$csp_suffix,'string','CSP style-src directive',true,true); 187 $blog_settings->system->put('csp_admin_img', 188 $csp_prefix."'self' data: media.dotaddict.org blob:",'string','CSP img-src directive',true,true); 179 189 180 190 # Add Dotclear version -
inc/admin/lib.dc.page.php
r3421 r3432 106 106 // Get directives from settings if exist, else set defaults 107 107 $csp = new ArrayObject(array()); 108 $csp['default-src'] = $core->blog->settings->system->csp_admin_default ?: "'self'"; 109 $csp['script-src'] = $core->blog->settings->system->csp_admin_script ?: "'self' 'unsafe-inline' 'unsafe-eval'"; 110 $csp['style-src'] = $core->blog->settings->system->csp_admin_style ?: "'self' 'unsafe-inline'"; 111 $csp['img-src'] = $core->blog->settings->system->csp_admin_img ?: "'self' data: media.dotaddict.org blob:"; 108 109 // SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value 110 // so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives 111 $csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : ''; // Hack for SQlite Clearbricks driver 112 $csp_suffix = $core->con->driver() == 'sqlite' ? ' 127.0.0.1' : ''; // Hack for SQlite Clearbricks driver 113 114 $csp['default-src'] = $core->blog->settings->system->csp_admin_default ?: 115 $csp_prefix."'self'".$csp_suffix; 116 $csp['script-src'] = $core->blog->settings->system->csp_admin_script ?: 117 $csp_prefix."'self' 'unsafe-inline' 'unsafe-eval'".$csp_suffix; 118 $csp['style-src'] = $core->blog->settings->system->csp_admin_style ?: 119 $csp_prefix."'self' 'unsafe-inline'".$csp_suffix; 120 $csp['img-src'] = $core->blog->settings->system->csp_admin_img ?: 121 $csp_prefix."'self' data: media.dotaddict.org blob:"; 112 122 113 123 # Cope with blog post preview (via public URL in iframe) -
inc/dbschema/upgrade.php
r3423 r3432 602 602 sprintf($strReq,'csp_admin_report_only',false,'boolean','CSP Report only violations (admin)')); 603 603 604 // SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value 605 // so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives 606 $csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : ''; // Hack for SQlite Clearbricks driver 607 $csp_suffix = $core->con->driver() == 'sqlite' ? ' 127.0.0.1' : ''; // Hack for SQlite Clearbricks driver 608 609 # Try to fix some CSP directive wrongly stored for SQLite drivers 610 $strReq = 'UPDATE '.$core->prefix.'setting '. 611 " SET setting_value = '".$csp_prefix."''self''".$csp_suffix."' ". 612 " WHERE setting_id = 'csp_admin_default' ". 613 " AND setting_ns = 'system' ". 614 " AND setting_value = 'self' "; 615 $core->con->execute($strReq); 616 $strReq = 'UPDATE '.$core->prefix.'setting '. 617 " SET setting_value = '".$csp_prefix."''self'' ''unsafe-inline'' ''unsafe-eval''".$csp_suffix."' ". 618 " WHERE setting_id = 'csp_admin_script' ". 619 " AND setting_ns = 'system' ". 620 " AND setting_value = 'self'' ''unsafe-inline'' ''unsafe-eval' "; 621 $core->con->execute($strReq); 622 $strReq = 'UPDATE '.$core->prefix.'setting '. 623 " SET setting_value = '".$csp_prefix."''self'' ''unsafe-inline''".$csp_suffix."' ". 624 " WHERE setting_id = 'csp_admin_style' ". 625 " AND setting_ns = 'system' ". 626 " AND setting_value = 'self'' ''unsafe-inline' "; 627 $core->con->execute($strReq); 628 $strReq = 'UPDATE '.$core->prefix.'setting '. 629 " SET setting_value = '".$csp_prefix."''self'' data: media.dotaddict.org blob:' ". 630 " WHERE setting_id = 'csp_admin_img' ". 631 " AND setting_ns = 'system' ". 632 " AND setting_value = 'self'' data: media.dotaddict.org' "; 633 $core->con->execute($strReq); 634 604 635 # Update CSP img-src default directive 605 636 $strReq = 'UPDATE '.$core->prefix.'setting '. 606 " SET setting_value = ' ''self'' data: media.dotaddict.org blob:' ".637 " SET setting_value = '".$csp_prefix."''self'' data: media.dotaddict.org blob:' ". 607 638 " WHERE setting_id = 'csp_admin_img' ". 608 639 " AND setting_ns = 'system' ".
Note: See TracChangeset
for help on using the changeset viewer.