From 18c013d8fc0d95249136799c5c0e67994766d953 Mon Sep 17 00:00:00 2001
From: Vincent Petry <vincent@nextcloud.com>
Date: Fri, 1 Apr 2022 13:56:15 +0200
Subject: Add CSP policy merge priority for booleans

When two booleans conflict when merging CSP policies, true will win.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
---
 lib/private/Security/CSP/ContentSecurityPolicy.php        | 7 +++++++
 lib/private/Security/CSP/ContentSecurityPolicyManager.php | 7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

(limited to 'lib/private/Security')

diff --git a/lib/private/Security/CSP/ContentSecurityPolicy.php b/lib/private/Security/CSP/ContentSecurityPolicy.php
index 8a72934d4c9..8d9551c8978 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicy.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicy.php
@@ -245,6 +245,13 @@ class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy
 		$this->reportTo = $reportTo;
 	}
 
+	/**
+	 * @return boolean
+	 */
+	public function isStrictDynamicAllowed(): bool {
+		return $this->strictDynamicAllowed;
+	}
+
 	/**
 	 * @param boolean $strictDynamicAllowed
 	 */
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyManager.php b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
index ff770435eda..4930dcb759c 100644
--- a/lib/private/Security/CSP/ContentSecurityPolicyManager.php
+++ b/lib/private/Security/CSP/ContentSecurityPolicyManager.php
@@ -82,7 +82,12 @@ class ContentSecurityPolicyManager implements IContentSecurityPolicyManager {
 				$currentValues = \is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : [];
 				$defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value))));
 			} elseif (\is_bool($value)) {
-				$defaultPolicy->$setter($value);
+				$getter = 'is'.ucfirst($name);
+				$currentValue = $defaultPolicy->$getter();
+				// true wins over false
+				if ($value > $currentValue) {
+					$defaultPolicy->$setter($value);
+				}
 			}
 		}
 
-- 
cgit v1.2.3