This is an automated email from the ASF dual-hosted git repository.
solomax pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openmeetings.git
The following commit(s) were added to refs/heads/master by this push:
new a230f8a [OPENMEETINGS-2366] add ability to disable CSP headers (#93)
a230f8a is described below
commit a230f8ac2f7e9409861cf48b18998fb29dd82658
Author: Konstantin Kuzov <master.nosfer...@gmail.com>
AuthorDate: Wed May 20 14:06:24 2020 +0300
[OPENMEETINGS-2366] add ability to disable CSP headers (#93)
* add ability to disable CSP headers
* add big warning about disabled CSP
---
.../apache/openmeetings/db/dao/basic/ConfigurationDao.java | 13 +++++++++++++
.../apache/openmeetings/installation/ImportInitvalues.java | 2 ++
.../org/apache/openmeetings/util/OpenmeetingsVariables.java | 1 +
.../src/main/java/org/apache/openmeetings/util/Version.java | 2 +-
4 files changed, 17 insertions(+), 1 deletion(-)
diff --git
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
index 808a40a..9bdf362 100644
---
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
+++
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/basic/ConfigurationDao.java
@@ -21,6 +21,7 @@ package org.apache.openmeetings.db.dao.basic;
import static org.apache.commons.lang3.math.NumberUtils.toInt;
import static org.apache.openmeetings.db.util.DaoHelper.setLimits;
import static org.apache.openmeetings.util.OpenmeetingsVariables.*;
+import static org.apache.openmeetings.util.Version.getLine;
import static org.apache.wicket.csp.CSPDirectiveSrcValue.SELF;
import static org.apache.wicket.csp.CSPDirectiveSrcValue.STRICT_DYNAMIC;
@@ -334,6 +335,7 @@ public class ConfigurationDao implements
IDataProviderDao<Configuration> {
case CONFIG_CSP_MEDIA:
case CONFIG_CSP_SCRIPT:
case CONFIG_CSP_STYLE:
+ case CONFIG_CSP_ENABLED:
updateCsp();
break;
case CONFIG_SMTP_SERVER:
@@ -573,6 +575,17 @@ public class ConfigurationDao implements
IDataProviderDao<Configuration> {
public void updateCsp() {
setGaCode(getString(CONFIG_GOOGLE_ANALYTICS_CODE, null));
+ if (!getBool(CONFIG_CSP_ENABLED, true)) {
+ StringBuilder sb = new StringBuilder("\n");
+ getLine(sb, "", '#');
+ getLine(sb, "CSP headers are DISABLED", ' ');
+ getLine(sb, "Disabling CSP can lead to XSS attacks! Use
this mode only if you must!", ' ');
+ getLine(sb, "", '#');
+ log.warn(sb.toString());
+
WebApplication.get().getCspSettings().blocking().disabled();
+ return;
+ }
+
setCspFontSrc(getString(CONFIG_CSP_FONT, DEFAULT_CSP_FONT));
setCspFrameSrc(getString(CONFIG_CSP_FRAME, SELF.getValue()));
setCspImageSrc(getString(CONFIG_CSP_IMAGE, DEFAULT_CSP_IMAGE));
diff --git
a/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java
b/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java
index a148d35..b564ea4 100644
---
a/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java
+++
b/openmeetings-install/src/main/java/org/apache/openmeetings/installation/ImportInitvalues.java
@@ -37,6 +37,7 @@ import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_IMAG
import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_MEDIA;
import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_SCRIPT;
import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_STYLE;
+import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_CSP_ENABLED;
import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_DASHBOARD_RSS_FEED1;
import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_DASHBOARD_RSS_FEED2;
import static
org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_DASHBOARD_SHOW_CHAT;
@@ -382,6 +383,7 @@ public class ImportInitvalues {
addCfg(list, CONFIG_CSP_STYLE, DEFAULT_CSP_STYLE,
Configuration.Type.STRING, String.format("Value for 'style-src' directive of
'Content-Security-Policy' header (default: %s)"
+ cspMore, DEFAULT_CSP_STYLE), VER_5_0_0);
addCfg(list, CONFIG_SMTP_SSL, String.valueOf(false),
Configuration.Type.BOOL, "Enable SSL", VER_5_0_0);
+ addCfg(list, CONFIG_CSP_ENABLED, String.valueOf(true),
Configuration.Type.BOOL, "Whether or not CSP secure headers are enabled",
VER_5_0_0);
return list;
}
public void loadConfiguration(InstallationConfig cfg) {
diff --git
a/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java
b/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java
index 5bfea3b..91187d9 100644
---
a/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java
+++
b/openmeetings-util/src/main/java/org/apache/openmeetings/util/OpenmeetingsVariables.java
@@ -106,6 +106,7 @@ public class OpenmeetingsVariables {
public static final String CONFIG_CSP_MEDIA = "header.csp.media";
public static final String CONFIG_CSP_SCRIPT = "header.csp.script";
public static final String CONFIG_CSP_STYLE = "header.csp.style";
+ public static final String CONFIG_CSP_ENABLED = "header.csp.enabled";
public static final int RECENT_ROOMS_COUNT = 5;
public static final int USER_LOGIN_MINIMUM_LENGTH = 4;
diff --git
a/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java
b/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java
index cb23636..4cd3a39 100644
--- a/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java
+++ b/openmeetings-util/src/main/java/org/apache/openmeetings/util/Version.java
@@ -58,7 +58,7 @@ public class Version {
return buildDate;
}
- private static void getLine(StringBuilder sb, String text, char fill) {
+ public static void getLine(StringBuilder sb, String text, char fill) {
sb.append("\t#");
int l = text.length();
int headLength = (TOTAL_LENGTH - l) / 2;
