This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch gc/8470b in repository https://gitbox.apache.org/repos/asf/allura.git
commit 5f3a3c86fac1f7a466f77060455652f6d657287a Author: Guillermo Cruz <[email protected]> AuthorDate: Wed Oct 12 14:14:21 2022 -0600 [#8470] removed config globlas for csp and updated middleware code --- Allura/allura/lib/app_globals.py | 22 ---------------------- Allura/allura/lib/custom_middleware.py | 20 ++++++++++++-------- 2 files changed, 12 insertions(+), 30 deletions(-) diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py index 5895459e4..65279bbca 100644 --- a/Allura/allura/lib/app_globals.py +++ b/Allura/allura/lib/app_globals.py @@ -662,28 +662,6 @@ class Globals: def commit_statuses_enabled(self): return asbool(config['scm.commit_statuses']) - @property - def csp_report_mode(self): - if config.get('csp.report_mode'): - return asbool(config['csp.report_mode']) - return False - - @property - def csp_report_uri(self): - if config.get('csp.report_uri'): - return config['csp.report_uri'] - return None - @property - def csp_report_uri_enforce(self): - if config.get('csp.report_uri_enforce'): - return config['csp.report_uri_enforce'] - return None - @property - def csp_report_enforce(self): - if config.get('csp.report_enforce_mode'): - return True - return False - class Icon: def __init__(self, css, title=None): diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 7665f64de..8974734d3 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -22,7 +22,7 @@ import logging import tg import pkg_resources from paste import fileapp -from paste.deploy.converters import aslist +from paste.deploy.converters import aslist, asbool from tg import tmpl_context as c from tg.support.middlewares import _call_wsgi_application as call_wsgi_application from timermiddleware import Timer, TimerMiddleware @@ -470,29 +470,33 @@ class ContentSecurityPolicyMiddleware: resp = req.get_response(self.app) rules = resp.headers.getall('Content-Security-Policy') report_rules = resp.headers.getall('Content-Security-Policy-Report-Only') - + report_mode = asbool(self.config.get('csp.report_mode',False)) + report_enforce_mode = asbool(self.config.get('csp.report_enforce_mode',False)) + report_uri = self.config.get('csp.report_uri', None) + report_uri_enforce = self.config.get('csp.report_uri_enforce', None) + if rules: resp.headers.pop('Content-Security-Policy') if report_rules: resp.headers.pop('Content-Security-Policy-Report-Only') - if g.csp_report_mode and g.csp_report_uri: - report_rules.append(f'report-uri {g.csp_report_uri}; report-to {g.csp_report_uri}') + if report_mode and report_uri: + report_rules.append(f'report-uri {report_uri}; report-to {report_uri}') if self.config['base_url'].startswith('https'): rules.append('upgrade-insecure-requests') - if g.csp_report_enforce and g.csp_report_uri_enforce: - rules.append(f'report-uri {g.csp_report_uri_enforce}; report-to {g.csp_report_uri_enforce:}') + if report_enforce_mode and report_uri_enforce: + rules.append(f'report-uri {report_uri_enforce}; report-to {report_uri_enforce:}') if self.config.get('csp.frame_sources'): - if g.csp_report_mode: + if report_mode: report_rules.append(f"frame-src {self.config['csp.frame_sources']}") else: rules.append(f"frame-src {self.config['csp.frame_sources']}") if self.config.get('csp.form_action_urls'): - if g.csp_report_mode: + if report_mode: report_rules.append(f"form-action {self.config['csp.form_action_urls']}") else: rules.append(f"form-action {self.config['csp.form_action_urls']}")
