aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--core/templates/layout.base.php1
-rw-r--r--core/templates/layout.guest.php1
-rw-r--r--core/templates/layout.initial-state.php6
-rw-r--r--core/templates/layout.public.php1
-rw-r--r--core/templates/layout.user.php1
-rw-r--r--lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php3
-rw-r--r--lib/private/Template/Base.php9
-rw-r--r--lib/private/legacy/OC_Template.php9
-rw-r--r--tests/lib/AppFramework/Middleware/Security/CSPMiddlewareTest.php1
9 files changed, 23 insertions, 9 deletions
diff --git a/core/templates/layout.base.php b/core/templates/layout.base.php
index eb88d62632e..e74cd4b8cd2 100644
--- a/core/templates/layout.base.php
+++ b/core/templates/layout.base.php
@@ -14,6 +14,7 @@
</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<meta name="theme-color" content="<?php p($theme->getColorPrimary()); ?>">
+ <meta name="csp-nonce" nonce="<?php p($_['cspNonce']); /* Do not pass into "content" to prevent exfiltration */ ?>">
<link rel="icon" href="<?php print_unescaped(image_path('core', 'favicon.ico')); /* IE11+ supports png */ ?>">
<link rel="apple-touch-icon" href="<?php print_unescaped(image_path('core', 'favicon-touch.png')); ?>">
<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path('core', 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
diff --git a/core/templates/layout.guest.php b/core/templates/layout.guest.php
index be0c36d6c53..03682a24193 100644
--- a/core/templates/layout.guest.php
+++ b/core/templates/layout.guest.php
@@ -19,6 +19,7 @@
p($theme->getTitle());
?>
</title>
+ <meta name="csp-nonce" nonce="<?php p($_['cspNonce']); /* Do not pass into "content" to prevent exfiltration */ ?>">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<?php if ($theme->getiTunesAppId() !== '') { ?>
<meta name="apple-itunes-app" content="app-id=<?php p($theme->getiTunesAppId()); ?>">
diff --git a/core/templates/layout.initial-state.php b/core/templates/layout.initial-state.php
index 23c9be1a9c4..f2387990b12 100644
--- a/core/templates/layout.initial-state.php
+++ b/core/templates/layout.initial-state.php
@@ -5,7 +5,7 @@
*/
?>
<div id="initial-state-container" style="display: none;">
- <?php foreach ($_['initialStates'] as $app => $initialState) { ?>
- <input type="hidden" id="initial-state-<?php p($app); ?>" value="<?php p(base64_encode($initialState)); ?>">
- <?php }?>
+ <?php foreach ($_['initialStates'] as $app => $initialState) { ?>
+ <input type="hidden" id="initial-state-<?php p($app); ?>" value="<?php p(base64_encode($initialState)); ?>">
+ <?php }?>
</div>
diff --git a/core/templates/layout.public.php b/core/templates/layout.public.php
index b228801190c..90aefe0b8a8 100644
--- a/core/templates/layout.public.php
+++ b/core/templates/layout.public.php
@@ -14,6 +14,7 @@
p($theme->getTitle());
?>
</title>
+ <meta name="csp-nonce" nonce="<?php p($_['cspNonce']); /* Do not pass into "content" to prevent exfiltration */ ?>">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
<?php if ($theme->getiTunesAppId() !== '') { ?>
<meta name="apple-itunes-app" content="app-id=<?php p($theme->getiTunesAppId()); ?>">
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 475d1b89a0f..3293fc0acd7 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -29,6 +29,7 @@ p(!empty($_['application']) ? $_['application'].' - ' : '');
p($theme->getTitle());
?>
</title>
+ <meta name="csp-nonce" nonce="<?php p($_['cspNonce']); /* Do not pass into "content" to prevent exfiltration */ ?>">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<?php if ($theme->getiTunesAppId() !== '') { ?>
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
index 2046c240291..993f74ae0e4 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -33,7 +33,8 @@ class ContentSecurityPolicyNonceManager {
// Get the token from the CSRF token, we only use the "shared secret" part
// as the first part does not add any security / entropy to the token
// so it can be ignored to keep the nonce short while keeping the same randomness
- $this->nonce = end(explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue())));
+ $csrfSecret = explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue()));
+ $this->nonce = end($csrfSecret);
} else {
$this->nonce = $this->request->server['CSP_NONCE'];
}
diff --git a/lib/private/Template/Base.php b/lib/private/Template/Base.php
index 2adf9172f6b..b48c10143cf 100644
--- a/lib/private/Template/Base.php
+++ b/lib/private/Template/Base.php
@@ -24,11 +24,14 @@ class Base {
* @param string $template
* @param string $requestToken
* @param \OCP\IL10N $l10n
+ * @param string $cspNonce
* @param Defaults $theme
*/
- public function __construct($template, $requestToken, $l10n, $theme) {
- $this->vars = [];
- $this->vars['requesttoken'] = $requestToken;
+ public function __construct($template, $requestToken, $l10n, $theme, $cspNonce) {
+ $this->vars = [
+ 'cspNonce' => $cspNonce,
+ 'requesttoken' => $requestToken,
+ ];
$this->l10n = $l10n;
$this->template = $template;
$this->theme = $theme;
diff --git a/lib/private/legacy/OC_Template.php b/lib/private/legacy/OC_Template.php
index 5caa733b115..e3e9a7abc5f 100644
--- a/lib/private/legacy/OC_Template.php
+++ b/lib/private/legacy/OC_Template.php
@@ -43,6 +43,7 @@ class OC_Template extends \OC\Template\Base {
$theme = OC_Util::getTheme();
$requestToken = (OC::$server->getSession() && $registerCall) ? \OCP\Util::callRegister() : '';
+ $cspNonce = \OCP\Server::get(\OC\Security\CSP\ContentSecurityPolicyNonceManager::class)->getNonce();
$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
$l10n = \OC::$server->getL10N($parts[0]);
@@ -56,7 +57,13 @@ class OC_Template extends \OC\Template\Base {
$this->path = $path;
$this->app = $app;
- parent::__construct($template, $requestToken, $l10n, $themeDefaults);
+ parent::__construct(
+ $template,
+ $requestToken,
+ $l10n,
+ $themeDefaults,
+ $cspNonce,
+ );
}
diff --git a/tests/lib/AppFramework/Middleware/Security/CSPMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CSPMiddlewareTest.php
index 9ce4f3daf79..63981d72b54 100644
--- a/tests/lib/AppFramework/Middleware/Security/CSPMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/CSPMiddlewareTest.php
@@ -12,7 +12,6 @@ use OC\AppFramework\Middleware\Security\CSPMiddleware;
use OC\Security\CSP\ContentSecurityPolicy;
use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
-use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-31 06:42:53 +0000