You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "jleroux@apache.org" <jl...@apache.org> on 2020/03/20 19:20:25 UTC
Re: [ofbiz-framework] branch trunk updated: Improved: no functional
change
I have finally decided to backport this (low) security issue.
It's easy to do so, better to be safe than sorry.
Jacques
Le 20/03/2020 à 10:51, jleroux@apache.org a écrit :
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new b6a796c Improved: no functional change
> b6a796c is described below
>
> commit b6a796cbdfc662459a4b52a01f0a9b67c18e7c30
> Author: Jacques Le Roux <ja...@les7arts.com>
> AuthorDate: Fri Mar 20 10:51:49 2020 +0100
>
> Improved: no functional change
>
> Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
> Because this page is used as a HTTP 500 error it's more susceptible to
> clickjacking
>
> Quoting OWASP ZAP:
> This problem still applies to error-type pages (401, 403, 500, etc.), as these
> pages are still often affected by injection problems, in which case it is still
> possible that browsers may interpret pages differently from their actual content
> type.
>
> I tried to work on other file types that were also reported but it's complicated
> adn I believe it's not worth it
> ---
> themes/common-theme/template/ErrorPage.ftl | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/themes/common-theme/template/ErrorPage.ftl b/themes/common-theme/template/ErrorPage.ftl
> index 47f7caf..9be67b0 100644
> --- a/themes/common-theme/template/ErrorPage.ftl
> +++ b/themes/common-theme/template/ErrorPage.ftl
> @@ -19,6 +19,7 @@ under the License.
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html>
> <head>
> + <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
> <title>500 Internal error</title>
> <style>
> body{
>