Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitef3827f

Browse files
committed
[WebProfilerBundle] Fix bundle usage in Content-Security-Policy context without unsafe-inline
1 parentce28a86 commitef3827f

File tree

16 files changed

+649
-48
lines changed

16 files changed

+649
-48
lines changed

‎src/Symfony/Bundle/DebugBundle/Resources/views/Profiler/dump.html.twig‎

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@
2727
{{dump.data|raw }}
2828
</div>
2929
{%endfor %}
30-
<imgsrc="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="onload="var h = this.parentNode.innerHTML, rx=/<script>(.*?)<\/script>/g, s; while (s = rx.exec(h)) {eval(s[1]);};" />
3130
{%endset %}
3231

3332
{{include('@WebProfiler/Profiler/toolbar_item.html.twig', {'link':true }) }}

‎src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php‎

Lines changed: 40 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
namespaceSymfony\Bundle\WebProfilerBundle\Controller;
1313

14+
useSymfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
1415
useSymfony\Bundle\WebProfilerBundle\Profiler\TemplateManager;
1516
useSymfony\Component\HttpFoundation\RedirectResponse;
1617
useSymfony\Component\HttpFoundation\Request;
@@ -33,6 +34,7 @@ class ProfilerController
3334
private$twig;
3435
private$templates;
3536
private$toolbarPosition;
37+
private$cspHandler;
3638

3739
/**
3840
* Constructor.
@@ -43,13 +45,14 @@ class ProfilerController
4345
* @param array $templates The templates
4446
* @param string $toolbarPosition The toolbar position (top, bottom, normal, or null -- use the configuration)
4547
*/
46-
publicfunction__construct(UrlGeneratorInterface$generator,Profiler$profiler =null,\Twig_Environment$twig,array$templates,$toolbarPosition ='normal')
48+
publicfunction__construct(UrlGeneratorInterface$generator,Profiler$profiler =null,\Twig_Environment$twig,array$templates,$toolbarPosition ='normal',ContentSecurityPolicyHandler$cspHandler =null)
4749
{
4850
$this->generator =$generator;
4951
$this->profiler =$profiler;
5052
$this->twig =$twig;
5153
$this->templates =$templates;
5254
$this->toolbarPosition =$toolbarPosition;
55+
$this->cspHandler =$cspHandler;
5356
}
5457

5558
/**
@@ -88,6 +91,10 @@ public function panelAction(Request $request, $token)
8891

8992
$this->profiler->disable();
9093

94+
if (null !==$this->cspHandler) {
95+
$this->cspHandler->disableCsp();
96+
}
97+
9198
$panel =$request->query->get('panel','request');
9299
$page =$request->query->get('page','home');
93100

@@ -134,6 +141,10 @@ public function infoAction(Request $request, $about)
134141

135142
$this->profiler->disable();
136143

144+
if (null !==$this->cspHandler) {
145+
$this->cspHandler->disableCsp();
146+
}
147+
137148
returnnewResponse($this->twig->render('@WebProfiler/Profiler/info.html.twig',array(
138149
'about' =>$about,
139150
'request' =>$request,
@@ -185,15 +196,15 @@ public function toolbarAction(Request $request, $token)
185196
// the profiler is not enabled
186197
}
187198

188-
returnnewResponse($this->twig->render('@WebProfiler/Profiler/toolbar.html.twig',array(
199+
return$this->renderWithCspNonces($request,'@WebProfiler/Profiler/toolbar.html.twig',array(
189200
'request' =>$request,
190201
'position' =>$position,
191202
'profile' =>$profile,
192203
'templates' =>$this->getTemplateManager()->getTemplates($profile),
193204
'profiler_url' =>$url,
194205
'token' =>$token,
195206
'profiler_markup_version' =>2,// 1 = original toolbar, 2 = Symfony 2.8+ toolbar
196-
)),200,array('Content-Type' =>'text/html'));
207+
));
197208
}
198209

199210
/**
@@ -213,6 +224,10 @@ public function searchBarAction(Request $request)
213224

214225
$this->profiler->disable();
215226

227+
if (null !==$this->cspHandler) {
228+
$this->cspHandler->disableCsp();
229+
}
230+
216231
if (null ===$session =$request->getSession()) {
217232
$ip =
218233
$method =
@@ -268,6 +283,10 @@ public function searchResultsAction(Request $request, $token)
268283

269284
$this->profiler->disable();
270285

286+
if (null !==$this->cspHandler) {
287+
$this->cspHandler->disableCsp();
288+
}
289+
271290
$profile =$this->profiler->loadProfile($token);
272291

273292
$ip =$request->query->get('ip');
@@ -364,6 +383,10 @@ public function phpinfoAction()
364383

365384
$this->profiler->disable();
366385

386+
if (null !==$this->cspHandler) {
387+
$this->cspHandler->disableCsp();
388+
}
389+
367390
ob_start();
368391
phpinfo();
369392
$phpinfo =ob_get_clean();
@@ -384,4 +407,18 @@ protected function getTemplateManager()
384407

385408
return$this->templateManager;
386409
}
410+
411+
privatefunctionrenderWithCspNonces(Request$request,$template,$variables,$code =200,$headers =array('Content-Type' =>'text/html'))
412+
{
413+
$response =newResponse('',$code,$headers);
414+
415+
$nonces =$this->cspHandler ?$this->cspHandler->getNonces($request,$response) :array();
416+
417+
$variables['csp_script_nonce'] =isset($nonces['csp_script_nonce']) ?$nonces['csp_script_nonce'] :null;
418+
$variables['csp_style_nonce'] =isset($nonces['csp_style_nonce']) ?$nonces['csp_style_nonce'] :null;
419+
420+
$response->setContent($this->twig->render($template,$variables));
421+
422+
return$response;
423+
}
387424
}
Lines changed: 264 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,264 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespaceSymfony\Bundle\WebProfilerBundle\Csp;
13+
14+
useSymfony\Component\HttpFoundation\Request;
15+
useSymfony\Component\HttpFoundation\Response;
16+
17+
/**
18+
* Handles Content-Security-Policy HTTP header for the WebProfiler Bundle.
19+
*
20+
* @author Romain Neutron <imprec@gmail.com>
21+
*
22+
* @internal
23+
*/
24+
class ContentSecurityPolicyHandler
25+
{
26+
private$nonceGenerator;
27+
private$cspDisabled =false;
28+
29+
publicfunction__construct(NonceGenerator$nonceGenerator)
30+
{
31+
$this->nonceGenerator =$nonceGenerator;
32+
}
33+
34+
/**
35+
* Returns an array of nonces to be used in Twig templates and Content-Security-Policy headers.
36+
*
37+
* Nonce can be provided by;
38+
* - The request - In case HTML content is fetched via AJAX and inserted in DOM, it must use the same nonce as origin
39+
* - The response - A call to getNonces() has already been done previously. Same nonce are returned
40+
* - They are otherwise randomly generated
41+
*
42+
* @return array
43+
*/
44+
publicfunctiongetNonces(Request$request,Response$response)
45+
{
46+
if ($request->headers->has('X-SymfonyProfiler-Script-Nonce') &&$request->headers->has('X-SymfonyProfiler-Style-Nonce')) {
47+
returnarray(
48+
'csp_script_nonce' =>$request->headers->get('X-SymfonyProfiler-Script-Nonce'),
49+
'csp_style_nonce' =>$request->headers->get('X-SymfonyProfiler-Style-Nonce'),
50+
);
51+
}
52+
53+
if ($response->headers->has('X-SymfonyProfiler-Script-Nonce') &&$response->headers->has('X-SymfonyProfiler-Style-Nonce')) {
54+
returnarray(
55+
'csp_script_nonce' =>$response->headers->get('X-SymfonyProfiler-Script-Nonce'),
56+
'csp_style_nonce' =>$response->headers->get('X-SymfonyProfiler-Style-Nonce'),
57+
);
58+
}
59+
60+
$nonces =array(
61+
'csp_script_nonce' =>$this->generateNonce(),
62+
'csp_style_nonce' =>$this->generateNonce(),
63+
);
64+
65+
$response->headers->set('X-SymfonyProfiler-Script-Nonce',$nonces['csp_script_nonce']);
66+
$response->headers->set('X-SymfonyProfiler-Style-Nonce',$nonces['csp_style_nonce']);
67+
68+
return$nonces;
69+
}
70+
71+
/**
72+
* Disables Content-Security-Policy.
73+
*
74+
* All related headers will be removed.
75+
*/
76+
publicfunctiondisableCsp()
77+
{
78+
$this->cspDisabled =true;
79+
}
80+
81+
/**
82+
* Cleanup temporary headers and updates Content-Security-Policy headers.
83+
*
84+
* @return array Nonces used by the bundle in Content-Security-Policy header
85+
*/
86+
publicfunctionupdateResponseHeaders(Request$request,Response$response)
87+
{
88+
if ($this->cspDisabled) {
89+
$this->removeCspHeaders($response);
90+
91+
returnarray();
92+
}
93+
94+
$nonces =$this->getNonces($request,$response);
95+
$this->cleanHeaders($response);
96+
$this->updateCspHeaders($response,$nonces);
97+
98+
return$nonces;
99+
}
100+
101+
privatefunctioncleanHeaders(Response$response)
102+
{
103+
$response->headers->remove('X-SymfonyProfiler-Script-Nonce');
104+
$response->headers->remove('X-SymfonyProfiler-Style-Nonce');
105+
}
106+
107+
privatefunctionremoveCspHeaders(Response$response)
108+
{
109+
$response->headers->remove('X-Content-Security-Policy');
110+
$response->headers->remove('Content-Security-Policy');
111+
}
112+
113+
/**
114+
* Updates Content-Security-Policy headers in a response.
115+
*
116+
* @return array
117+
*/
118+
privatefunctionupdateCspHeaders(Response$response,array$nonces =array()) {
119+
$nonces =array_replace(array(
120+
'csp_script_nonce' =>$this->generateNonce(),
121+
'csp_style_nonce' =>$this->generateNonce(),
122+
),$nonces);
123+
124+
$ruleIsSet =false;
125+
126+
$headers =$this->getCspHeaders($response);
127+
128+
foreach ($headersas$header =>$directives) {
129+
foreach (array('script-src' =>'csp_script_nonce','style-src' =>'csp_style_nonce')as$type =>$tokenName) {
130+
if ($this->authorizesInline($directives,$type)) {
131+
continue;
132+
}
133+
if (!isset($headers[$header][$type])) {
134+
if (isset($headers[$header]['default-src'])) {
135+
$headers[$header][$type] =$headers[$header]['default-src'];
136+
}else {
137+
$headers[$header][$type] =array();
138+
}
139+
}
140+
$ruleIsSet =true;
141+
if (!in_array('\'unsafe-inline\'',$headers[$header][$type],true)) {
142+
$headers[$header][$type][] ='\'unsafe-inline\'';
143+
}
144+
$headers[$header][$type][] =sprintf('\'nonce-%s\'',$nonces[$tokenName]);
145+
}
146+
}
147+
148+
if (!$ruleIsSet) {
149+
return$nonces;
150+
}
151+
152+
foreach ($headersas$header =>$directives) {
153+
$response->headers->set($header,$this->generateCspHeader($directives));
154+
}
155+
156+
return$nonces;
157+
}
158+
159+
/**
160+
* Generates a valid Content-Security-Policy nonce.
161+
*
162+
* @return string
163+
*/
164+
privatefunctiongenerateNonce()
165+
{
166+
return$this->nonceGenerator->generate();
167+
}
168+
169+
/**
170+
* Converts a directives set array into Content-Security-Policy header.
171+
*
172+
* @param array $directives The directives set
173+
*
174+
* @return string The Content-Security-Policy header
175+
*/
176+
privatefunctiongenerateCspHeader(array$directives)
177+
{
178+
returnarray_reduce(array_keys($directives),function ($res,$name)use ($directives) {
179+
return ($res !=='' ?$res.';' :'').sprintf('%s %s',$name,implode('',$directives[$name]));
180+
},'');
181+
}
182+
183+
/**
184+
* Converts a Content-Security-Policy header value into a directives set array.
185+
*
186+
* @param string $header The header value
187+
*
188+
* @return array The directives set
189+
*/
190+
privatefunctionparseDirectives($header)
191+
{
192+
$directives =array();
193+
194+
foreach (explode(';',$header)as$directive) {
195+
$parts =explode('',trim($directive));
196+
if (count($parts) <1) {
197+
continue;
198+
}
199+
$name =array_shift($parts);
200+
$directives[$name] =$parts;
201+
}
202+
203+
return$directives;
204+
}
205+
206+
/**
207+
* Detects if the 'unsafe-inline' is prevented for a directive within the directives set.
208+
*
209+
* @param array $directivesSet The directives set
210+
* @param string $type The name of the directive to check
211+
*
212+
* @return bool
213+
*/
214+
privatefunctionauthorizesInline(array$directivesSet,$type)
215+
{
216+
if (isset($directivesSet[$type])) {
217+
$directives =$directivesSet[$type];
218+
}elseif (isset($directivesSet['default-src'])) {
219+
$directives =$directivesSet['default-src'];
220+
}else {
221+
returnfalse;
222+
}
223+
224+
returnin_array('\'unsafe-inline\'',$directives,true) && !$this->hasHashOrNonce($directives);
225+
}
226+
227+
privatefunctionhasHashOrNonce(array$directives)
228+
{
229+
foreach ($directivesas$directive) {
230+
if ('\'' !==substr($directive, -1)) {
231+
continue;
232+
}
233+
if ('\'nonce-' ===substr($directive,0,7)) {
234+
returntrue;
235+
}
236+
if (in_array(substr($directive,0,8),array('\'sha256-','\'sha384-','\'sha512-'),true)) {
237+
returntrue;
238+
}
239+
}
240+
241+
returnfalse;
242+
}
243+
244+
/**
245+
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
246+
* a response.
247+
*
248+
* @return array An associative array of headers
249+
*/
250+
privatefunctiongetCspHeaders(Response$response)
251+
{
252+
$headers =array();
253+
254+
if ($response->headers->has('Content-Security-Policy')) {
255+
$headers['Content-Security-Policy'] =$this->parseDirectives($response->headers->get('Content-Security-Policy'));
256+
}
257+
258+
if ($response->headers->has('X-Content-Security-Policy')) {
259+
$headers['X-Content-Security-Policy'] =$this->parseDirectives($response->headers->get('X-Content-Security-Policy'));
260+
}
261+
262+
return$headers;
263+
}
264+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp