N°4129 - Security hardening

Combodo · Aug 18, 2021 · 92a9a8c · 92a9a8c
1 parent 834ac00
commit 92a9a8c
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/core/config.class.inc.php b/core/config.class.inc.php
@@ -1161,6 +1161,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		),
+		'security.disable_inline_documents_sandbox' => array(
+			'type' => 'bool',
+			'description' => 'If true then the sandbox for documents displayed in a browser tab will be disabled; enabling scripts and other interactive content. Note that setting this to true will open the application to potential XSS attacks!',
+			'default' => false,
+			'value' => false,
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		),
 	);
 
 	public function IsProperty($sPropCode)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
@@ -1295,6 +1295,11 @@ public function DocumentAction(Request $oRequest, Application $oApp, $sOperation
         $aHeaders['Content-Type'] = $oDocument->GetMimeType();
         $aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment') . ';filename="'.$oDocument->GetFileName().'"';
 
+	    // N°4129 - Prevent XSS attacks & other script executions
+	    if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
+		    $aHeaders['Content-Security-Policy'] = 'sandbox';
+	    }
+
         return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
     }
 

diff --git a/pages/ajax.render.php b/pages/ajax.render.php
@@ -902,7 +902,12 @@ function LogErrorMessage($sMsgPrefix, $aContextInfo) {
 			$sField = utils::ReadParam('field', '');
 			if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField))
 			{
-				$oPage->add_header('X-Frame-Options:'); // resets header, see N°3416
+				// Resets header, see N°3416
+				$oPage->add_header('X-Frame-Options:');
+				// N°4129 - Prevent XSS attacks & other script executions
+				if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
+					$oPage->add_header('Content-Security-Policy: sandbox;');
+				}
 				ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'inline');
 			}
 			break;