diff options
author | Robert Speicher <robert@gitlab.com> | 2016-06-14 14:53:01 +0000 |
---|---|---|
committer | Tomasz Maczukin <tomasz@maczukin.pl> | 2016-06-14 22:26:03 +0200 |
commit | 2da3f392580771d94c8703106690b170f421ae34 (patch) | |
tree | 4942be810ef1ee557369bf75ff7d688a32d9418d | |
parent | 6a5139276352d7fcb10dc9a3a0f89d676799e894 (diff) | |
download | gitlab-ce-2da3f392580771d94c8703106690b170f421ae34.tar.gz |
Merge branch '17298-wiki-xss' into 'master'
Forbid scripting for wiki files
Wiki files (not pages - files in the repo) are just sent to the browser
with whatever content-type the mime_types gem assigns to them based on
their extension. As this is from the same domain as the GitLab
application, this is an XSS vulnerability.
Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
files.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298.
See merge request !1969
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | app/controllers/projects/wikis_controller.rb | 3 |
2 files changed, 4 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index dba9b54295f..8da7bc0cf14 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,7 @@ v 8.8.5 - Adjust the SAML control flow to allow LDAP identities to be added to an existing SAML user - Fix incremental trace upload API when using multi-byte UTF-8 chars in trace - Prevent unauthorized access for projects build traces + - Forbid scripting for wiki files v 8.8.4 - Fix LDAP-based login for users with 2FA enabled. !4493 diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb index 0d6c32fabd2..dcc05a44b61 100644 --- a/app/controllers/projects/wikis_controller.rb +++ b/app/controllers/projects/wikis_controller.rb @@ -16,6 +16,9 @@ class Projects::WikisController < Projects::ApplicationController if @page render 'show' elsif file = @project_wiki.find_file(params[:id], params[:version_id]) + response.headers['Content-Security-Policy'] = "default-src 'none'" + response.headers['X-Content-Security-Policy'] = "default-src 'none'" + if file.on_disk? send_file file.on_disk_path, disposition: 'inline' else |