Move browserSupportsCspV3 to CSPNonceManager

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 21:36:17 +0200
committer: Roeland Jago Douma <roeland@famdouma.nl> 2016-10-25 22:03:10 +0200
commit: e351ba56f13f82a9d5a8f95ee42f5343a167d5f4 (patch)
tree: 2d3c33df8c1114ee976df15ba8fb689e73ff249f /lib
parent: d5589a15d5c681bb26cb8717e0e5abdb5021a1b1 (diff)
download: nextcloud-server-e351ba56f13f82a9d5a8f95ee42f5343a167d5f4.tar.gz
nextcloud-server-e351ba56f13f82a9d5a8f95ee42f5343a167d5f4.zip
4 files changed, 40 insertions, 22 deletions
diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php
index 97faa0edf49..8fe9b4dca03 100644
--- a/lib/private/AppFramework/DependencyInjection/DIContainer.php
+++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@@ -380,7 +380,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 				$app->isLoggedIn(),
 				$app->isAdminUser(),
 				$app->getServer()->getContentSecurityPolicyManager(),
-				$app->getServer()->getCsrfTokenManager()
+				$app->getServer()->getCsrfTokenManager(),
+				$app->getServer()->getContentSecurityPolicyNonceManager()
 			);
 		});
 
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 6c33c0023ea..183e55740ea 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -36,6 +36,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
 use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Security\CSP\ContentSecurityPolicyManager;
+use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
@@ -80,6 +81,8 @@ class SecurityMiddleware extends Middleware {
 	private $contentSecurityPolicyManager;
 	/** @var CsrfTokenManager */
 	private $csrfTokenManager;
+	/** @var ContentSecurityPolicyNonceManager */
+	private $cspNonceManager;
 
 	/**
 	 * @param IRequest $request
@@ -92,6 +95,7 @@ class SecurityMiddleware extends Middleware {
 	 * @param bool $isAdminUser
 	 * @param ContentSecurityPolicyManager $contentSecurityPolicyManager
 	 * @param CSRFTokenManager $csrfTokenManager
+	 * @param ContentSecurityPolicyNonceManager $cspNonceManager
 	 */
 	public function __construct(IRequest $request,
 								ControllerMethodReflector $reflector,
@@ -102,7 +106,8 @@ class SecurityMiddleware extends Middleware {
 								$isLoggedIn,
 								$isAdminUser,
 								ContentSecurityPolicyManager $contentSecurityPolicyManager,
-								CsrfTokenManager $csrfTokenManager) {
+								CsrfTokenManager $csrfTokenManager,
+								ContentSecurityPolicyNonceManager $cspNonceManager) {
 		$this->navigationManager = $navigationManager;
 		$this->request = $request;
 		$this->reflector = $reflector;
@@ -113,6 +118,7 @@ class SecurityMiddleware extends Middleware {
 		$this->isAdminUser = $isAdminUser;
 		$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
 		$this->csrfTokenManager = $csrfTokenManager;
+		$this->cspNonceManager = $cspNonceManager;
 	}
 
 
@@ -177,23 +183,6 @@ class SecurityMiddleware extends Middleware {
 
 	}
 
-	private function browserSupportsCspV3() {
-		$browserWhitelist = [
-			// Chrome 40+
-			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[4-9][0-9].[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/',
-			// Firefox 45+
-			'/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/',
-			// Safari 10+
-			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/1[0-9.]+ Safari\/[0-9.A-Z]+$/',
-		];
-
-		if($this->request->isUserAgent($browserWhitelist)) {
-			return true;
-		}
-
-		return false;
-	}
-
 	/**
 	 * Performs the default CSP modifications that may be injected by other
 	 * applications
@@ -213,7 +202,7 @@ class SecurityMiddleware extends Middleware {
 		$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
 		$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
 
-		if($this->browserSupportsCspV3()) {
+		if($this->cspNonceManager->browserSupportsCspV3()) {
 			$defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
 		}
 
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 0482ea49e5c..fe1c2e4404b 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -22,6 +22,7 @@
 namespace OC\Security\CSP;
 
 use OC\Security\CSRF\CsrfTokenManager;
+use OCP\IRequest;
 
 /**
  * @package OC\Security\CSP
@@ -29,14 +30,19 @@ use OC\Security\CSRF\CsrfTokenManager;
 class ContentSecurityPolicyNonceManager {
 	/** @var CsrfTokenManager */
 	private $csrfTokenManager;
+	/** @var IRequest */
+	private $request;
 	/** @var string */
 	private $nonce = '';
 
 	/**
 	 * @param CsrfTokenManager $csrfTokenManager
+	 * @param IRequest $request
 	 */
-	public function __construct(CsrfTokenManager $csrfTokenManager) {
+	public function __construct(CsrfTokenManager $csrfTokenManager,
+								IRequest $request) {
 		$this->csrfTokenManager = $csrfTokenManager;
+		$this->request = $request;
 	}
 
 	/**
@@ -51,4 +57,25 @@ class ContentSecurityPolicyNonceManager {
 
 		return $this->nonce;
 	}
+
+	/**
+	 * Check if the browser supports CSP v3
+	 * @return bool
+	 */
+	public function browserSupportsCspV3() {
+		$browserWhitelist = [
+			// Chrome 40+
+			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[4-9][0-9].[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/',
+			// Firefox 45+
+			'/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/',
+			// Safari 10+
+			'/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/1[0-9.]+ Safari\/[0-9.A-Z]+$/',
+		];
+
+		if($this->request->isUserAgent($browserWhitelist)) {
+			return true;
+		}
+
+		return false;
+	}
 }
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 1ccc27802d2..21ec311401d 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -711,7 +711,8 @@ class Server extends ServerContainer implements IServerContainer {
 		});
 		$this->registerService('ContentSecurityPolicyNonceManager', function(Server $c) {
 			return new ContentSecurityPolicyNonceManager(
-				$c->getCsrfTokenManager()
+				$c->getCsrfTokenManager(),
+				$c->getRequest()
 			);
 		});
 		$this->registerService('ShareManager', function(Server $c) {
author	Roeland Jago Douma <roeland@famdouma.nl>	2016-10-25 21:36:17 +0200
committer	Roeland Jago Douma <roeland@famdouma.nl>	2016-10-25 22:03:10 +0200
commit	e351ba56f13f82a9d5a8f95ee42f5343a167d5f4 (patch)
tree	2d3c33df8c1114ee976df15ba8fb689e73ff249f /lib
parent	d5589a15d5c681bb26cb8717e0e5abdb5021a1b1 (diff)
download	nextcloud-server-e351ba56f13f82a9d5a8f95ee42f5343a167d5f4.tar.gz nextcloud-server-e351ba56f13f82a9d5a8f95ee42f5343a167d5f4.zip