Commit aaaf5cfe authored by Yadd's avatar Yadd
Browse files

Restrict CSP form-action to URL scheme (#1384)

parent b1f876f6
......@@ -697,11 +697,11 @@ sub sendHtml {
# Set authorizated URL for POST
my $csp = $self->csp . "form-action 'self'";
if ( my $url = $req->urldc ) {
$url =~ s#https?://([^/]+).*#$1#;
$url =~ s#(https?://[^/]+).*#$1#;
$csp .= " $url";
}
my $url = $args{params}->{URL};
if ( $url and $url =~ s#https?://([^/]+).*#$1# ) {
if ( $url and $url =~ s#(https?://[^/]+).*#$1# ) {
$csp .= " $url";
}
$csp .= ';';
......
......@@ -200,12 +200,12 @@ sub exceptCspFormOK {
}
if ( $csp =~ /\s\*(?:\s.*)?\s*$/
or ( $host eq '#' and $csp =~ /'self'/ )
or $csp =~ /\b$host\b/ )
or $csp =~ m#\bhttps?://$host\b# )
{
pass(' CSP header authorize POST request');
pass(" CSP header authorize POST request to $host");
}
else {
fail(' CSP header authorize POST request');
fail(" CSP header authorize POST request to $host");
explain( $res->[1], "form-action ... $host" );
}
count(1);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment