This is an automated email from the ASF dual-hosted git repository. solomax pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/openmeetings.git
The following commit(s) were added to refs/heads/master by this push: new a230f8a [OPENMEETINGS-2366] add ability to disable CSP headers (#93) a230f8a is described below commit a230f8ac2f7e9409861cf48b18998fb29dd82658 Author: Konstantin Kuzov <master.nosfer...@gmail.com> AuthorDate: Wed May 20 14:06:24 2020 +0300 [OPENMEETINGS-2366] add ability to disable CSP headers (#93) * add ability to disable CSP headers * add big warning about disabled CSP --- .../apache/openmeetings/db/dao/basic/ConfigurationDao.java | 13 +++++++++++++ .../apache/openmeetings/installation/ImportInitvalues.java | 2 ++ .../org/apache/openmeetings/util/OpenmeetingsVariables.java | 1 + .../src/main/java/org/apache/openmeetings/util/Version.java | 2 +- 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java index 808a40a..9bdf362 100644 --- a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java +++ b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java @@ -21,6 +21,7 @@ package org.apache.openmeetings.db.dao.basic; import static org.apache.commons.lang3.math.NumberUtils.toInt; import static org.apache.openmeetings.db.util.DaoHelper.setLimits; import static org.apache.openmeetings.util.OpenmeetingsVariables.*; +import static org.apache.openmeetings.util.Version.getLine; import static org.apache.wicket.csp.CSPDirectiveSrcValue.SELF; import static org.apache.wicket.csp.CSPDirectiveSrcValue.STRICT_DYNAMIC; @@ -334,6 +335,7 @@ public class ConfigurationDao implements IDataProviderDao<Configuration> { case CONFIG_CSP_MEDIA: case CONFIG_CSP_SCRIPT: case CONFIG_CSP_STYLE: + case CONFIG_CSP_ENABLED: updateCsp(); break; case CONFIG_SMTP_SERVER: @@ -573,6 +575,17 @@ public class ConfigurationDao implements IDataProviderDao<Configuration> { public void updateCsp() { setGaCode(getString(CONFIG_GOOGLE_ANALYTICS_CODE, null)); + if (!getBool(CONFIG_CSP_ENABLED, true)) { + StringBuilder sb = new StringBuilder("\n"); + getLine(sb, "", '#'); + getLine(sb, "CSP headers are DISABLED", ' '); + getLine(sb, "Disabling CSP can lead to XSS attacks! Use this mode only if you must!", ' '); + getLine(sb, "", '#'); + log.warn(sb.toString()); + WebApplication.get().getCspSettings().blocking().disabled(); + return; + } + setCspFontSrc(getString(CONFIG_CSP_FONT, DEFAULT_CSP_FONT)); setCspFrameSrc(getString(CONFIG_CSP_FRAME, SELF.getValue())); setCspImageSrc(getString(CONFIG_CSP_IMAGE, DEFAULT_CSP_IMAGE)); diff --git a/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java b/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java index a148d35..b564ea4 100644 --- a/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java +++ b/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java @@ -37,6 +37,7 @@ import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_IMAG import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_MEDIA; import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_SCRIPT; import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_STYLE; +import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_ENABLED; import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_DASHBOARD_RSS_FEED1; import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_DASHBOARD_RSS_FEED2; import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_DASHBOARD_SHOW_CHAT; @@ -382,6 +383,7 @@ public class ImportInitvalues { addCfg(list, CONFIG_CSP_STYLE, DEFAULT_CSP_STYLE, Configuration.Type.STRING, String.format("Value for 'style-src' directive of 'Content-Security-Policy' header (default: %s)" + cspMore, DEFAULT_CSP_STYLE), VER_5_0_0); addCfg(list, CONFIG_SMTP_SSL, String.valueOf(false), Configuration.Type.BOOL, "Enable SSL", VER_5_0_0); + addCfg(list, CONFIG_CSP_ENABLED, String.valueOf(true), Configuration.Type.BOOL, "Whether or not CSP secure headers are enabled", VER_5_0_0); return list; } public void loadConfiguration(InstallationConfig cfg) { diff --git a/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java b/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java index 5bfea3b..91187d9 100644 --- a/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java +++ b/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java @@ -106,6 +106,7 @@ public class OpenmeetingsVariables { public static final String CONFIG_CSP_MEDIA = "header.csp.media"; public static final String CONFIG_CSP_SCRIPT = "header.csp.script"; public static final String CONFIG_CSP_STYLE = "header.csp.style"; + public static final String CONFIG_CSP_ENABLED = "header.csp.enabled"; public static final int RECENT_ROOMS_COUNT = 5; public static final int USER_LOGIN_MINIMUM_LENGTH = 4; diff --git a/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java b/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java index cb23636..4cd3a39 100644 --- a/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java +++ b/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java @@ -58,7 +58,7 @@ public class Version { return buildDate; } - private static void getLine(StringBuilder sb, String text, char fill) { + public static void getLine(StringBuilder sb, String text, char fill) { sb.append("\t#"); int l = text.length(); int headLength = (TOTAL_LENGTH - l) / 2;