You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2020/06/18 15:13:52 UTC
[couchdb] branch master updated: fix: send CSP header to make
Fauxotn work fully
This is an automated email from the ASF dual-hosted git repository.
jan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/couchdb.git
The following commit(s) were added to refs/heads/master by this push:
new 34baa46 fix: send CSP header to make Fauxotn work fully
34baa46 is described below
commit 34baa46002a4ede723961a7d768eb25977965157
Author: Jan Lehnardt <ja...@apache.org>
AuthorDate: Thu Jun 18 14:55:38 2020 +0200
fix: send CSP header to make Fauxotn work fully
Co-authored-by: Robert Newson <rn...@apache.org>
---
src/chttpd/src/chttpd_auth.erl.orig | 89 ++++++++++++++++++++++++++++++
src/chttpd/src/chttpd_misc.erl | 2 +-
src/chttpd/test/eunit/chttpd_csp_tests.erl | 2 +-
3 files changed, 91 insertions(+), 2 deletions(-)
diff --git a/src/chttpd/src/chttpd_auth.erl.orig b/src/chttpd/src/chttpd_auth.erl.orig
new file mode 100644
index 0000000..607f09a
--- /dev/null
+++ b/src/chttpd/src/chttpd_auth.erl.orig
@@ -0,0 +1,89 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except in compliance with the License. You may obtain a copy of
+% the License at
+%
+% http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations under
+% the License.
+
+-module(chttpd_auth).
+
+-export([authenticate/2]).
+-export([authorize/2]).
+
+-export([default_authentication_handler/1]).
+-export([cookie_authentication_handler/1]).
+-export([proxy_authentication_handler/1]).
+-export([party_mode_handler/1]).
+
+-export([handle_session_req/1]).
+
+-include_lib("couch/include/couch_db.hrl").
+
+-define(SERVICE_ID, chttpd_auth).
+
+
+%% ------------------------------------------------------------------
+%% API Function Definitions
+%% ------------------------------------------------------------------
+
+authenticate(HttpReq, Default) ->
+ maybe_handle(authenticate, [HttpReq], Default).
+
+authorize(HttpReq, Default) ->
+ maybe_handle(authorize, [HttpReq], Default).
+
+
+%% ------------------------------------------------------------------
+%% Default callbacks
+%% ------------------------------------------------------------------
+
+default_authentication_handler(Req) ->
+ couch_httpd_auth:default_authentication_handler(Req, chttpd_auth_cache).
+
+cookie_authentication_handler(Req) ->
+ couch_httpd_auth:cookie_authentication_handler(Req, chttpd_auth_cache).
+
+proxy_authentication_handler(Req) ->
+ couch_httpd_auth:proxy_authentication_handler(Req).
+
+party_mode_handler(#httpd{method='POST', path_parts=[<<"_session">>]} = Req) ->
+ % See #1947 - users should always be able to attempt a login
+ Req#httpd{user_ctx=#user_ctx{}};
+party_mode_handler(Req) ->
+ RequireValidUser = config:get_boolean("chttpd", "require_valid_user", false),
+ ExceptUp = config:get_boolean("chttpd", "require_valid_user_except_for_up", true),
+ case RequireValidUser andalso not ExceptUp of
+ true ->
+ throw({unauthorized, <<"Authentication required.">>});
+ false ->
+ case config:get("admins") of
+ [] ->
+ Req#httpd{user_ctx = ?ADMIN_USER};
+ _ ->
+ Req#httpd{user_ctx=#user_ctx{}}
+ end
+ end.
+
+handle_session_req(Req) ->
+ couch_httpd_auth:handle_session_req(Req, chttpd_auth_cache).
+
+
+%% ------------------------------------------------------------------
+%% Internal Function Definitions
+%% ------------------------------------------------------------------
+
+maybe_handle(Func, Args, Default) ->
+ Handle = couch_epi:get_handle(?SERVICE_ID),
+ case couch_epi:decide(Handle, ?SERVICE_ID, Func, Args, []) of
+ no_decision when is_function(Default) ->
+ apply(Default, Args);
+ no_decision ->
+ Default;
+ {decided, Result} ->
+ Result
+ end.
diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl
index ffb5295..830fea3 100644
--- a/src/chttpd/src/chttpd_misc.erl
+++ b/src/chttpd/src/chttpd_misc.erl
@@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
maybe_add_csp_headers(Headers, "true") ->
- DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+ DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
"script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
Value = config:get("csp", "header_value", DefaultValues),
[{"Content-Security-Policy", Value} | Headers];
diff --git a/src/chttpd/test/eunit/chttpd_csp_tests.erl b/src/chttpd/test/eunit/chttpd_csp_tests.erl
index e864362..b80e3fe 100644
--- a/src/chttpd/test/eunit/chttpd_csp_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_csp_tests.erl
@@ -56,7 +56,7 @@ should_not_return_any_csp_headers_when_disabled(Url) ->
should_apply_default_policy(Url) ->
?_assertEqual(
- "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+ "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
"script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
begin
{ok, _, Headers, _} = test_request:get(Url),