Fossil SCM
Make sure that any newlines in the CSP are converted into simple spaces before the CSP is added to an HTTP header. This *might* fix a problem reported [forum:/info/d29e3af43c|on the forum].
Commit
e0f2283c154a019ab61f7a928069e90e19a259c62a96c3484315a365d2f31a98
Parent
7caaa287b82a199…
1 file changed
+4
+4
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -526,10 +526,11 @@ | ||
| 526 | 526 | "style-src 'self' 'unsafe-inline'"; |
| 527 | 527 | const char *zFormat = db_get("default-csp",""); |
| 528 | 528 | Blob csp; |
| 529 | 529 | char *zNonce; |
| 530 | 530 | char *zCsp; |
| 531 | + int i; | |
| 531 | 532 | if( zFormat[0]==0 ){ |
| 532 | 533 | zFormat = zBackupCSP; |
| 533 | 534 | } |
| 534 | 535 | blob_init(&csp, 0, 0); |
| 535 | 536 | while( zFormat[0] && (zNonce = strstr(zFormat,"$nonce"))!=0 ){ |
| @@ -537,10 +538,13 @@ | ||
| 537 | 538 | blob_append(&csp, style_nonce(), -1); |
| 538 | 539 | zFormat = zNonce + 6; |
| 539 | 540 | } |
| 540 | 541 | blob_append(&csp, zFormat, -1); |
| 541 | 542 | zCsp = blob_str(&csp); |
| 543 | + /* No whitespace other than actual space characters allowed in the CSP | |
| 544 | + ** string. See https://fossil-scm.org/forum/forumpost/d29e3af43c */ | |
| 545 | + for(i=0; zCsp[i]; i++){ if( fossil_isspace(zCsp[i]) ) zCsp[i] = ' '; } | |
| 542 | 546 | if( toHeader ){ |
| 543 | 547 | cgi_printf_header("Content-Security-Policy: %s\r\n", zCsp); |
| 544 | 548 | } |
| 545 | 549 | return zCsp; |
| 546 | 550 | } |
| 547 | 551 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -526,10 +526,11 @@ | |
| 526 | "style-src 'self' 'unsafe-inline'"; |
| 527 | const char *zFormat = db_get("default-csp",""); |
| 528 | Blob csp; |
| 529 | char *zNonce; |
| 530 | char *zCsp; |
| 531 | if( zFormat[0]==0 ){ |
| 532 | zFormat = zBackupCSP; |
| 533 | } |
| 534 | blob_init(&csp, 0, 0); |
| 535 | while( zFormat[0] && (zNonce = strstr(zFormat,"$nonce"))!=0 ){ |
| @@ -537,10 +538,13 @@ | |
| 537 | blob_append(&csp, style_nonce(), -1); |
| 538 | zFormat = zNonce + 6; |
| 539 | } |
| 540 | blob_append(&csp, zFormat, -1); |
| 541 | zCsp = blob_str(&csp); |
| 542 | if( toHeader ){ |
| 543 | cgi_printf_header("Content-Security-Policy: %s\r\n", zCsp); |
| 544 | } |
| 545 | return zCsp; |
| 546 | } |
| 547 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -526,10 +526,11 @@ | |
| 526 | "style-src 'self' 'unsafe-inline'"; |
| 527 | const char *zFormat = db_get("default-csp",""); |
| 528 | Blob csp; |
| 529 | char *zNonce; |
| 530 | char *zCsp; |
| 531 | int i; |
| 532 | if( zFormat[0]==0 ){ |
| 533 | zFormat = zBackupCSP; |
| 534 | } |
| 535 | blob_init(&csp, 0, 0); |
| 536 | while( zFormat[0] && (zNonce = strstr(zFormat,"$nonce"))!=0 ){ |
| @@ -537,10 +538,13 @@ | |
| 538 | blob_append(&csp, style_nonce(), -1); |
| 539 | zFormat = zNonce + 6; |
| 540 | } |
| 541 | blob_append(&csp, zFormat, -1); |
| 542 | zCsp = blob_str(&csp); |
| 543 | /* No whitespace other than actual space characters allowed in the CSP |
| 544 | ** string. See https://fossil-scm.org/forum/forumpost/d29e3af43c */ |
| 545 | for(i=0; zCsp[i]; i++){ if( fossil_isspace(zCsp[i]) ) zCsp[i] = ' '; } |
| 546 | if( toHeader ){ |
| 547 | cgi_printf_header("Content-Security-Policy: %s\r\n", zCsp); |
| 548 | } |
| 549 | return zCsp; |
| 550 | } |
| 551 |