Fossil SCM

Skip setting the 'default_csp' TH1 variable if it already exists (i.e. it was manually overridden).

mistachkin 2019-02-17 06:18 dynamicCsp

Commit 0b885bb952c66baaed081e4326ca0f89b15007d750112f958a10e8d158bb2f91

Parent cb881aab33c0a88…

1 file changed +8 -6

M src/style.c

+8 -6

		--- src/style.c
		+++ src/style.c
		@@ -405,22 +405,24 @@
405	405	/*
406	406	** Initialize all the default TH1 variables
407	407	*/
408	408	static void style_init_th1_vars(const char *zTitle){
409	409	const char *zNonce = style_nonce();
410		- char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; "
411		- "script-src 'self' 'nonce-%s' ; "
412		- "style-src 'self' 'unsafe-inline'",
413		- zNonce);
414	410	Th_Store("nonce", zNonce);
415	411	Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
416	412	Th_Store("project_description", db_get("project-description",""));
417	413	if( zTitle ) Th_Store("title", zTitle);
418	414	Th_Store("baseurl", g.zBaseURL);
419	415	Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
420		- Th_Store("default_csp", zDfltCsp);
421		- sqlite3_free(zDfltCsp);
	416	+ if( !Th_ExistsVar(g.interp, "default_csp", -1) ){
	417	+ char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; "
	418	+ "script-src 'self' 'nonce-%s' ; "
	419	+ "style-src 'self' 'unsafe-inline'",
	420	+ zNonce);
	421	+ Th_Store("default_csp", zDfltCsp);
	422	+ sqlite3_free(zDfltCsp);
	423	+ }
422	424	Th_Store("home", g.zTop);
423	425	Th_Store("index_page", db_get("index-page","/home"));
424	426	if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath);
425	427	Th_Store("current_page", local_zCurrentPage);
426	428	Th_Store("csrf_token", g.zCsrfToken);
427	429

	--- src/style.c
	+++ src/style.c
	@@ -405,22 +405,24 @@
405	/*
406	** Initialize all the default TH1 variables
407	*/
408	static void style_init_th1_vars(const char *zTitle){
409	const char *zNonce = style_nonce();
410	char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; "
411	"script-src 'self' 'nonce-%s' ; "
412	"style-src 'self' 'unsafe-inline'",
413	zNonce);
414	Th_Store("nonce", zNonce);
415	Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
416	Th_Store("project_description", db_get("project-description",""));
417	if( zTitle ) Th_Store("title", zTitle);
418	Th_Store("baseurl", g.zBaseURL);
419	Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
420	Th_Store("default_csp", zDfltCsp);
421	sqlite3_free(zDfltCsp);






422	Th_Store("home", g.zTop);
423	Th_Store("index_page", db_get("index-page","/home"));
424	if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath);
425	Th_Store("current_page", local_zCurrentPage);
426	Th_Store("csrf_token", g.zCsrfToken);
427

	--- src/style.c
	+++ src/style.c
	@@ -405,22 +405,24 @@
405	/*
406	** Initialize all the default TH1 variables
407	*/
408	static void style_init_th1_vars(const char *zTitle){
409	const char *zNonce = style_nonce();




410	Th_Store("nonce", zNonce);
411	Th_Store("project_name", db_get("project-name","Unnamed Fossil Project"));
412	Th_Store("project_description", db_get("project-description",""));
413	if( zTitle ) Th_Store("title", zTitle);
414	Th_Store("baseurl", g.zBaseURL);
415	Th_Store("secureurl", fossil_wants_https(1)? g.zHttpsURL: g.zBaseURL);
416	if( !Th_ExistsVar(g.interp, "default_csp", -1) ){
417	char *zDfltCsp = sqlite3_mprintf("default-src 'self' data: ; "
418	"script-src 'self' 'nonce-%s' ; "
419	"style-src 'self' 'unsafe-inline'",
420	zNonce);
421	Th_Store("default_csp", zDfltCsp);
422	sqlite3_free(zDfltCsp);
423	}
424	Th_Store("home", g.zTop);
425	Th_Store("index_page", db_get("index-page","/home"));
426	if( local_zCurrentPage==0 ) style_set_current_page("%T", g.zPath);
427	Th_Store("current_page", local_zCurrentPage);
428	Th_Store("csrf_token", g.zCsrfToken);
429