Set a strict CSP policy for downloaded attachments, thumbnails, and raw repository files(#38417).

Patch by Holger Just. git-svn-id: https://svn.redmine.org/redmine/trunk@22295 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Go MAEDA <maeda@farend.jp> 2023-09-18 02:16:36 +0000
committer: Go MAEDA <maeda@farend.jp> 2023-09-18 02:16:36 +0000
commit: 4973c9014b571dd7f49b834907906e21c17f08a0 (patch)
tree: 7f715b397d01751fe69cf947265d5b60c7df5b4a /app/controllers/repositories_controller.rb
parent: 3de94139172087341a61e023a0da61d95bf933d7 (diff)
download: redmine-4973c9014b571dd7f49b834907906e21c17f08a0.tar.gz
redmine-4973c9014b571dd7f49b834907906e21c17f08a0.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 8ecb0022f..3fb69e8b2 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -431,6 +431,11 @@ class RepositoriesController < ApplicationController
     end
   end
 
+  def send_file(path, options={})
+    headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+    super
+  end
+
   def valid_name?(rev)
     return true if rev.nil?
     return true if REV_PARAM_RE.match?(rev)
author	Go MAEDA <maeda@farend.jp>	2023-09-18 02:16:36 +0000
committer	Go MAEDA <maeda@farend.jp>	2023-09-18 02:16:36 +0000
commit	4973c9014b571dd7f49b834907906e21c17f08a0 (patch)
tree	7f715b397d01751fe69cf947265d5b60c7df5b4a /app/controllers/repositories_controller.rb
parent	3de94139172087341a61e023a0da61d95bf933d7 (diff)
download	redmine-4973c9014b571dd7f49b834907906e21c17f08a0.tar.gz redmine-4973c9014b571dd7f49b834907906e21c17f08a0.zip