beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Always send security headers in customization

Browse source
This commit is contained in:
Jakub Vrana 2018-01-09 13:48:51 +01:00
parent 415253b1b1
commit 552d2a6be4
5 changed files with 9 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
adminer/include/adminer.inc.php
View file

@ -65,10 +65,9 @@ class Adminer {
} }
/** Headers to send before HTML output /** Headers to send before HTML output
* @return bool true to send security headers * @return null
*/ */
function headers() { function headers() {
return true;
} }
/** Print HTML code inside <head> /** Print HTML code inside <head>

11
adminer/include/design.inc.php
View file

@ -87,12 +87,11 @@ function page_headers() {
global $adminer; global $adminer;
header("Content-Type: text/html; charset=utf-8"); header("Content-Type: text/html; charset=utf-8");
header("Cache-Control: no-cache"); header("Cache-Control: no-cache");
if ($adminer->headers()) { header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9
header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9 header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page header("X-Content-Type-Options: nosniff");
header("X-Content-Type-Options: nosniff"); header("Referrer-Policy: origin-when-cross-origin");
header("Referrer-Policy: origin-when-cross-origin"); $adminer->headers();
}
} }
/** Print flash and error messages /** Print flash and error messages

1
changes.txt
View file

@ -6,6 +6,7 @@ PostgreSQL: Sort table names (regression from 4.3.1)
Editor: Don't set time zone from PHP, fixes DST Editor: Don't set time zone from PHP, fixes DST
Editor: Display field comment's text inside [] only in edit form Editor: Display field comment's text inside [] only in edit form
Editor: Fix doubleclick on database page Editor: Fix doubleclick on database page
Customization: Always send security headers
Hebrew translation Hebrew translation
Adminer 4.3.1 (released 2017-04-14): Adminer 4.3.1 (released 2017-04-14):

1
editor/include/adminer.inc.php
View file

@ -45,7 +45,6 @@ class Adminer {
} }
function headers() { function headers() {
return true;
} }
function head() { function head() {

6
plugins/frames.php
View file

@ -20,11 +20,9 @@ class AdminerFrames {
function headers() { function headers() {
if ($this->sameOrigin) { if ($this->sameOrigin) {
header("X-Frame-Options: SameOrigin"); header("X-Frame-Options: SameOrigin");
} elseif (function_exists('header_remove')) {
header_remove("X-Frame-Options");
} }
header("X-XSS-Protection: 0");
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: origin-when-cross-origin");
return false;
} }
} }