Skip to content

Commit

Permalink
WWSympa: Add CSP nonce-source to inline script (sympa-community#1122)
Browse files Browse the repository at this point in the history
  • Loading branch information
ikedas committed Apr 21, 2023
1 parent 2312ee7 commit 6691c58
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 1 deletion.
2 changes: 2 additions & 0 deletions default/web_tt2/crash.tt2
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
<!-- crash.tt2 -->
<head>
<meta charset="UTF-8" />
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' 'unsafe-inline' 'nonce-[% csp_nonce %]'" />
<meta name="generator" content="Sympa [% version %]" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title> [% main_title %] - [% action %] </title>
Expand Down
2 changes: 1 addition & 1 deletion default/web_tt2/head_javascript.tt2
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
## Use the js/sympa.js file instead of writing your scripts.
## This script only contains variable initializations.
#%]
<script>
<script nonce="[% csp_nonce %]">
<!--
[%# A few configuration settings and miscellaneous vars. ~%]
var sympa = {
Expand Down
2 changes: 2 additions & 0 deletions default/web_tt2/main.tt2
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
<!-- main.tt2 -->
<head>
<meta charset="UTF-8" />
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' 'unsafe-inline' 'nonce-[% csp_nonce %]'" />
<meta name="generator" content="Sympa [% version %]" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title> [% main_title %] - [% action %] </title>
Expand Down
2 changes: 2 additions & 0 deletions default/web_tt2/tt2_error.tt2
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
<!-- tt2_error.tt2 -->
<head>
<meta charset="UTF-8" />
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' 'unsafe-inline' 'nonce-[% csp_nonce %]'" />
<meta name="generator" content="Sympa [% version %]" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title> [% main_title %] - [% action %] </title>
Expand Down
3 changes: 3 additions & 0 deletions src/cgi/wwsympa.fcgi.in
Original file line number Diff line number Diff line change
Expand Up @@ -2292,6 +2292,9 @@ sub send_html {
## Workaround for Internet Explorer 8 or later.
print "X-UA-Compatible: IE=100\n";

# Calculate CSP nonce.
$param->{'csp_nonce'} = Sympa::Tools::Text::nonce();

## Notify crash to client.
if ($param->{'action'} eq 'crash') {
print "Status: 503 Service Unavailable\n";
Expand Down
10 changes: 10 additions & 0 deletions src/lib/Sympa/Tools/Text.pm
Original file line number Diff line number Diff line change
Expand Up @@ -400,6 +400,16 @@ sub _url_query_string {
}
}

#FIXME: rand() is not cryptographically secure, despite CSP requesting.
sub nonce {
my $md5 = Digest::MD5->new;
$md5->add(time);
foreach (0..7) {
$md5->add(pack 'S', int rand(2 << 16 - 1));
}
return MIME::Base64::encode_base64url($md5->digest);
}

sub permalink_id {
my $message_id = shift;

Expand Down

0 comments on commit 6691c58

Please sign in to comment.