From e9b10f9e2daa2c0e69f39ca5af8ebf4585337dbb Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 1 Feb 2017 18:34:13 +0100 Subject: [PATCH] Add CSP sandbox Fixes https://github.com/PrivateBin/PrivateBin/issues/168 Alos needed to run some Composer stuff, no idea why my diff was different. --- cfg/conf.ini.sample | 3 ++- lib/Configuration.php | 2 +- vendor/composer/autoload_psr4.php | 1 + vendor/composer/autoload_static.php | 8 ++++++++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/cfg/conf.ini.sample b/cfg/conf.ini.sample index 1343df0..0d251c1 100644 --- a/cfg/conf.ini.sample +++ b/cfg/conf.ini.sample @@ -63,7 +63,8 @@ languageselection = false ; custom scripts from third-party domains to your templates, e.g. tracking ; scripts or run your site behind certain DDoS-protection services. ; Check the documentation at https://content-security-policy.com/ -; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer;" +; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions. +; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups" ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of diff --git a/lib/Configuration.php b/lib/Configuration.php index 800ea75..4130a22 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -51,7 +51,7 @@ class Configuration 'languagedefault' => '', 'urlshortener' => '', 'icon' => 'identicon', - 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer;', + 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups', 'zerobincompatibility' => false, ), 'expire' => array( diff --git a/vendor/composer/autoload_psr4.php b/vendor/composer/autoload_psr4.php index 26f0ced..1bddfbd 100644 --- a/vendor/composer/autoload_psr4.php +++ b/vendor/composer/autoload_psr4.php @@ -7,4 +7,5 @@ $baseDir = dirname($vendorDir); return array( 'PrivateBin\\' => array($baseDir . '/lib'), + 'CodeClimate\\PhpTestReporter\\' => array($vendorDir . '/codeclimate/php-test-reporter/src'), ); diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index 001a248..81b8716 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -15,6 +15,10 @@ class ComposerStaticInitDontChange array ( 'PrivateBin\\' => 11, ), + 'C' => + array ( + 'CodeClimate\\PhpTestReporter\\' => 28, + ), ); public static $prefixDirsPsr4 = array ( @@ -22,6 +26,10 @@ class ComposerStaticInitDontChange array ( 0 => __DIR__ . '/../..' . '/lib', ), + 'CodeClimate\\PhpTestReporter\\' => + array ( + 0 => __DIR__ . '/..' . '/codeclimate/php-test-reporter/src', + ), ); public static $prefixesPsr0 = array (