diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-06-14 14:53:01 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2016-06-14 14:53:01 +0000 |
| commit | c6ed8edf8e29ca37f64df07602f13fc7a34abf58 (patch) | |
| tree | 16ca999a0d76784ab5c7a74f4db8b07dcad7e5e7 /app | |
| parent | 0ca7b3ba37765cba366b2ad1b48dd09c9b5ed9bd (diff) | |
| parent | 1cda245cc4f04dedfb826053c95166a141d2ca4a (diff) | |
| download | gitlab-ce-c6ed8edf8e29ca37f64df07602f13fc7a34abf58.tar.gz | |
Merge branch '17298-wiki-xss' into 'master'
Forbid scripting for wiki files
Wiki files (not pages - files in the repo) are just sent to the browser
with whatever content-type the mime_types gem assigns to them based on
their extension. As this is from the same domain as the GitLab
application, this is an XSS vulnerability.
Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
files.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298.
See merge request !1969
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/projects/wikis_controller.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb index 2aa6bed0724..7ec1e73b3be 100644 --- a/app/controllers/projects/wikis_controller.rb +++ b/app/controllers/projects/wikis_controller.rb @@ -16,6 +16,9 @@ class Projects::WikisController < Projects::ApplicationController if @page render 'show' elsif file = @project_wiki.find_file(params[:id], params[:version_id]) + response.headers['Content-Security-Policy'] = "default-src 'none'" + response.headers['X-Content-Security-Policy'] = "default-src 'none'" + if file.on_disk? send_file file.on_disk_path, disposition: 'inline' else |