From 8eb4588917b4741889fdd905d4c32e3e86317693 Mon Sep 17 00:00:00 2001 From: RainLoop Team Date: Tue, 2 Jul 2019 00:20:27 +0300 Subject: [PATCH] Improved app security --- .../v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php | 7 +++++++ .../app/libraries/RainLoop/Config/Application.php | 3 ++- rainloop/v/0.0.0/app/libraries/RainLoop/Service.php | 10 ++++++++++ .../v/0.0.0/app/libraries/RainLoop/ServiceActions.php | 1 + 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php b/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php index f7a48d45a..21776274b 100644 --- a/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php +++ b/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php @@ -1100,6 +1100,13 @@ class HtmlUtils } } + $sLinkHref = \trim($oElement->getAttribute('xlink:href')); + if ($sLinkHref && !\preg_match('/^(http[s]?):/i', $sLinkHref) && '//' !== \substr($sLinkHref, 0, 2)) + { + $oElement->setAttribute('data-x-blocked-xlink-href', $sLinkHref); + $oElement->removeAttribute('xlink:href'); + } + if (\in_array($sTagNameLower, array('a', 'form', 'area'))) { $oElement->setAttribute('target', '_blank'); diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php index f2d7cfc02..da53c3d3e 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php @@ -198,7 +198,8 @@ class Application extends \RainLoop\Config\AbstractConfig 'custom_server_signature' => array('RainLoop'), 'x_frame_options_header' => array(''), - + 'x_xss_protection_header' => array('1; mode=block'), + 'openpgp' => array(false), 'admin_login' => array('admin', 'Login and password for web admin panel'), diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/Service.php b/rainloop/v/0.0.0/app/libraries/RainLoop/Service.php index f39ee62c0..b6dd4a29b 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/Service.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/Service.php @@ -47,6 +47,12 @@ class Service @\header('X-Frame-Options: '.$sXFrameOptionsHeader, true); } + $sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', '')); + if (0 < \strlen($sXssProtectionOptionsHeader)) + { + @\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true); + } + if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure()) { @\header('Location: https://'.$this->oHttp->GetHost(false, false).$this->oHttp->GetUrl(), true); @@ -248,6 +254,10 @@ class Service $sResult .= ']-->'; } + else + { + @\header('X-XSS-Protection: 1; mode=block'); + } // Output result echo $sResult; diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/ServiceActions.php b/rainloop/v/0.0.0/app/libraries/RainLoop/ServiceActions.php index 9f383809a..711b95dcf 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/ServiceActions.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/ServiceActions.php @@ -498,6 +498,7 @@ class ServiceActions if (\method_exists($this->oActions, $sMethodName)) { @\header('X-Raw-Action: '.$sMethodName, true); + @\header('Content-Security-Policy: default-src \'self\'; script-src \'none\'; style-src \'none\'; frame-src \'none\'; child-src \'none\'', true); $sRawError = ''; $this->oActions->SetActionParams(array(