diff options
| author | Jan Lehnardt <jan@apache.org> | 2020-06-18 14:55:38 +0200 |
|---|---|---|
| committer | Jan Lehnardt <jan@apache.org> | 2020-06-18 15:17:24 +0200 |
| commit | 495ea19b30e456a308031b6baaa5a172d64151c0 (patch) | |
| tree | 3fc2340e410bde290eff5ed51067e584ce8c5b6a | |
| parent | 6659dbbd7c556b8dc00c075e331d7b106d44088d (diff) | |
| download | couchdb-fix/csp.tar.gz | |
fix: send CSP header to make Fauxotn work fullyfix/csp
Co-authored-by: Robert Newson <rnewson@apache.org>
| -rw-r--r-- | src/chttpd/src/chttpd_auth.erl.orig | 89 | ||||
| -rw-r--r-- | src/chttpd/src/chttpd_misc.erl | 2 | ||||
| -rw-r--r-- | src/chttpd/test/eunit/chttpd_csp_tests.erl | 2 |
3 files changed, 91 insertions, 2 deletions
diff --git a/src/chttpd/src/chttpd_auth.erl.orig b/src/chttpd/src/chttpd_auth.erl.orig new file mode 100644 index 000000000..607f09a8a --- /dev/null +++ b/src/chttpd/src/chttpd_auth.erl.orig @@ -0,0 +1,89 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(chttpd_auth). + +-export([authenticate/2]). +-export([authorize/2]). + +-export([default_authentication_handler/1]). +-export([cookie_authentication_handler/1]). +-export([proxy_authentication_handler/1]). +-export([party_mode_handler/1]). + +-export([handle_session_req/1]). + +-include_lib("couch/include/couch_db.hrl"). + +-define(SERVICE_ID, chttpd_auth). + + +%% ------------------------------------------------------------------ +%% API Function Definitions +%% ------------------------------------------------------------------ + +authenticate(HttpReq, Default) -> + maybe_handle(authenticate, [HttpReq], Default). + +authorize(HttpReq, Default) -> + maybe_handle(authorize, [HttpReq], Default). + + +%% ------------------------------------------------------------------ +%% Default callbacks +%% ------------------------------------------------------------------ + +default_authentication_handler(Req) -> + couch_httpd_auth:default_authentication_handler(Req, chttpd_auth_cache). + +cookie_authentication_handler(Req) -> + couch_httpd_auth:cookie_authentication_handler(Req, chttpd_auth_cache). + +proxy_authentication_handler(Req) -> + couch_httpd_auth:proxy_authentication_handler(Req). + +party_mode_handler(#httpd{method='POST', path_parts=[<<"_session">>]} = Req) -> + % See #1947 - users should always be able to attempt a login + Req#httpd{user_ctx=#user_ctx{}}; +party_mode_handler(Req) -> + RequireValidUser = config:get_boolean("chttpd", "require_valid_user", false), + ExceptUp = config:get_boolean("chttpd", "require_valid_user_except_for_up", true), + case RequireValidUser andalso not ExceptUp of + true -> + throw({unauthorized, <<"Authentication required.">>}); + false -> + case config:get("admins") of + [] -> + Req#httpd{user_ctx = ?ADMIN_USER}; + _ -> + Req#httpd{user_ctx=#user_ctx{}} + end + end. + +handle_session_req(Req) -> + couch_httpd_auth:handle_session_req(Req, chttpd_auth_cache). + + +%% ------------------------------------------------------------------ +%% Internal Function Definitions +%% ------------------------------------------------------------------ + +maybe_handle(Func, Args, Default) -> + Handle = couch_epi:get_handle(?SERVICE_ID), + case couch_epi:decide(Handle, ?SERVICE_ID, Func, Args, []) of + no_decision when is_function(Default) -> + apply(Default, Args); + no_decision -> + Default; + {decided, Result} -> + Result + end. diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl index ffb5295b5..830fea378 100644 --- a/src/chttpd/src/chttpd_misc.erl +++ b/src/chttpd/src/chttpd_misc.erl @@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) -> send_method_not_allowed(Req, "GET,HEAD"). maybe_add_csp_headers(Headers, "true") -> - DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; " + DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; " "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", Value = config:get("csp", "header_value", DefaultValues), [{"Content-Security-Policy", Value} | Headers]; diff --git a/src/chttpd/test/eunit/chttpd_csp_tests.erl b/src/chttpd/test/eunit/chttpd_csp_tests.erl index e86436254..b80e3fee6 100644 --- a/src/chttpd/test/eunit/chttpd_csp_tests.erl +++ b/src/chttpd/test/eunit/chttpd_csp_tests.erl @@ -56,7 +56,7 @@ should_not_return_any_csp_headers_when_disabled(Url) -> should_apply_default_policy(Url) -> ?_assertEqual( - "default-src 'self'; img-src 'self' data:; font-src 'self'; " + "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; " "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", begin {ok, _, Headers, _} = test_request:get(Url), |