Disallow scripts without nonce
This commit is contained in:
Jakub Vrana
parent
e23da5da0e
commit
80d030f51a
|
|
@ -420,7 +420,7 @@ class Adminer {
|
|||
echo "<fieldset><legend>" . lang('Action') . "</legend><div>";
|
||||
echo "<input type='submit' value='" . lang('Select') . "'>";
|
||||
echo " <span id='noindex' title='" . lang('Full table scan') . "'></span>";
|
||||
echo "<script>\n";
|
||||
echo "<script" . nonce() . ">\n";
|
||||
echo "var indexColumns = ";
|
||||
$columns = array();
|
||||
foreach ($indexes as $index) {
|
||||
|
|
@ -897,7 +897,7 @@ class Adminer {
|
|||
if (support("sql")) {
|
||||
echo script_src("../externals/jush/modules/jush-$jush.js");
|
||||
?>
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
<?php
|
||||
if ($tables) {
|
||||
$links = array();
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ function page_header($title, $error = "", $breadcrumb = array(), $title2 = "") {
|
|||
<?php } ?>
|
||||
|
||||
<body class="<?php echo lang('ltr'); ?> nojs">
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
mixin(document.body, {onkeydown: bodyKeydown, onclick: bodyClick<?php echo (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '$VERSION')"); ?>});
|
||||
document.body.className = document.body.className.replace(/ nojs/, ' js');
|
||||
var offlineMessage = '<?php echo js_escape(lang('You are offline.')); ?>';
|
||||
|
|
@ -109,7 +109,7 @@ function page_headers() {
|
|||
function csp() {
|
||||
return array(
|
||||
"default-src" => "'none'",
|
||||
"script-src" => "'self' 'unsafe-inline'",
|
||||
"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
|
||||
"style-src" => "'self' 'unsafe-inline'",
|
||||
"connect-src" => "'self'",
|
||||
"img-src" => "'self' data:",
|
||||
|
|
@ -118,6 +118,17 @@ function csp() {
|
|||
);
|
||||
}
|
||||
|
||||
/** Get a CSP nonce
|
||||
* @return string Base64 value
|
||||
*/
|
||||
function get_nonce() {
|
||||
static $nonce;
|
||||
if (!$nonce) {
|
||||
$nonce = base64_encode(rand_string());
|
||||
}
|
||||
return $nonce;
|
||||
}
|
||||
|
||||
/** Print flash and error messages
|
||||
* @param string
|
||||
* @return null
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ function charset($connection) {
|
|||
* @return string
|
||||
*/
|
||||
function script($source, $trailing = "\n") {
|
||||
return "<script>$source</script>$trailing";
|
||||
return "<script" . nonce() . ">$source</script>$trailing";
|
||||
}
|
||||
|
||||
/** Return <script src> element
|
||||
|
|
@ -95,7 +95,14 @@ function script($source, $trailing = "\n") {
|
|||
* @return string
|
||||
*/
|
||||
function script_src($url) {
|
||||
return "<script src='" . h($url) . "'></script>\n";
|
||||
return "<script src='" . h($url) . "'" . nonce() . "></script>\n";
|
||||
}
|
||||
|
||||
/** Get a nonce="" attribute with CSP nonce
|
||||
* @return string
|
||||
*/
|
||||
function nonce() {
|
||||
return ' nonce="' . get_nonce() . '"';
|
||||
}
|
||||
|
||||
/** Escape for HTML
|
||||
|
|
@ -1242,7 +1249,7 @@ function slow_query($query) {
|
|||
if (support("kill") && is_object($connection2 = connect()) && ($db == "" || $connection2->select_db($db))) {
|
||||
$kill = $connection2->result(connection_id()); // MySQL and MySQLi can use thread_id but it's not in PDO_MySQL
|
||||
?>
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
var timeout = setTimeout(function () {
|
||||
ajax('<?php echo js_escape(ME); ?>script=kill', function () {
|
||||
}, 'token=<?php echo $token; ?>&kill=<?php echo $kill; ?>');
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
<?php
|
||||
$VERSION = "4.3.2-dev";
|
||||
$VERSION = "4.4.0-dev";
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ foreach (table_status('', true) as $table => $table_status) {
|
|||
|
||||
?>
|
||||
<div id="schema" style="height: <?php echo $top; ?>em;">
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
qs('#schema').onselectstart = function () { return false; };
|
||||
var tablePos = {<?php echo implode(",", $table_pos_js) . "\n"; ?>};
|
||||
var em = qs('#schema').offsetHeight / <?php echo $top; ?>;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
Adminer 4.3.2-dev:
|
||||
Adminer 4.4.0-dev:
|
||||
Add Content Security Policy
|
||||
Disallow scripts without nonce
|
||||
Add nosniff header
|
||||
PHP 7.1: Prevent warning when using empty limit
|
||||
MySQL: Remove dedicated view for replication status (added in 4.3.0)
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class AdminerLoginSqlite {
|
|||
|
||||
function loginForm() {
|
||||
?>
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
addEventListener('load', function () {
|
||||
var driver = qs('name="auth[driver]"');
|
||||
if (isTag(driver, 'select')) {
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ foreach ($tables as $table => $status) {
|
|||
}
|
||||
?>
|
||||
</ul>
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
var tablesFilterTimeout = null;
|
||||
var tablesFilterValue = '';
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ class AdminerTinymce {
|
|||
}
|
||||
echo script_src($this->path);
|
||||
?>
|
||||
<script>
|
||||
<script<?php echo nonce(); ?>>
|
||||
tinyMCE.init({
|
||||
mode: 'none',
|
||||
theme: 'advanced',
|
||||
|
|
|
|||
Loading…
Reference in a new issue