https://bugs.koozali.org/show_bug.cgi?id=13004
Bug ID: 13004
Summary: Move to SME11 and add SM2 panel
Classification: Contribs
Product: SME Contribs
Version: 11.0
Hardware: ---
OS: ---
Status: CONFIRMED
Severity: normal
Priority: P3
Component: smeserver-phpsysinfo
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Target Milestone: ---
Some problems here, relating to CSP.
Here's a grab from the Rocket chat.
Jean Phillipe Pialasse @jean
Admin
14:06
you might be able to alter csp for this page
Brian Read @brian.read
AdminOwner
14:35
Brian Read
05/12/2025
However I will try the proxy'ing on the embedded roundcube in SM2 (which is
currently an iframe object).
Actually changed my mind. I'll try out the proxy stuff on this contrib (and
then we can decide what to do about the CSP interference)
Jean Phillipe Pialasse @jean
Admin
18:16
probably last version is ok for csp
Brian Read @brian.read
AdminOwner
19:06
Jean Phillipe Pialasse
05/12/2025
probably last version is ok for csp
This IS the latest version 3 4.4.
May 13, 2025
Jean Phillipe Pialasse @jean
Admin
1:49
<meta http-equiv="Content-Security-Policy" content="default-src
'unsafe-inline' 'unsafe-eval' 'self'" />
<meta name="Description" content="phpSysInfo is a customizable PHP script
that displays information about your system nicely" />
Brian Read @brian.read
AdminOwner
8:13
A number of points here:
Proxy only allows the complete takeover of the page, this can be achieved
with a simple <a> link to spawn another tab or overwrite the current one. No
need for anything more complicated.
So if we want to embed the phpsysinfo page into an SM2 page next option is
to run the page and display the editted html ( no header or footer), which
might have other effects on the intenral navigation in the psi page plus this
does not allow us to suppress the CSP rules unless we suppress them at a higher
level in SM2 in the layout template.
I've tried dropping the override meta into the top level layout template
and for some reason it does not suppress the CSP rules anyway.
The only solution I can see is the use an iframe object, which I believe
opens us up the XSS exploits. If these can be eliminated then that is the
solution. I am already using an iframe for the mailstats contrib and also the
embedded webmail in SM2.
Thoughts?
Brian Read @brian.read
AdminOwner
8:23
got a day out today - back later or tomorrow (weds).
Brian Read @brian.read
AdminOwner
8:34
Just seen that in "dynamic" mode the html includes the CSP override, but not in
the static mode. HOWEVER the override does not seem to work in the SME11
context.
and HOWEVER, if we allow the <head>...</head> code through to the panel, then
the page takes over and we loose all the SM2 navigation and styling.
Brian Read @brian.read
AdminOwner
9:05
This is the result of displaying the dynamic standalone phpsysinfo web page
though SME11.
Clipboard - May 13, 2025 9:05.png
(33.97 kB)
, and this is the header:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<meta http-equiv="Content-Security-Policy" content="default-src
'unsafe-inline' 'unsafe-eval' 'self'" />
<meta name="Description" content="phpSysInfo is a customizable PHP script
that displays information about your system nicely" />
as you can see it has the CSP override, which does not seem to be effective on
an SME11
Brian Read @brian.read
AdminOwner
9:54
After some research it appears that a meta tag cannot override the csp set in
http response headers.
Makes sense 🤔
So it looks as though unless someone produces a version of phpsysinfo without
any inline styles we are going to have to forgo it.
I'll put it on my long term list but not plan it unless something changes
priorities or I'm looking for a neat project one day.
Editing the html would be reasonably trivial but editing the generating php
could be a nightmare.
😳
1
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
