From 9d83a1e23f3fde933ec990736fd77a8adb2e4803 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Fri, 26 May 2023 11:41:22 +0100 Subject: [PATCH 1/2] Add csp --- lib/pleroma/reverse_proxy.ex | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/pleroma/reverse_proxy.ex b/lib/pleroma/reverse_proxy.ex index 91cf1bba3..b44f0b90a 100644 --- a/lib/pleroma/reverse_proxy.ex +++ b/lib/pleroma/reverse_proxy.ex @@ -251,6 +251,7 @@ defp build_resp_headers(headers, opts) do |> Enum.filter(fn {k, _} -> k in @keep_resp_headers end) |> build_resp_cache_headers(opts) |> build_resp_content_disposition_header(opts) + |> build_csp_headers() |> Keyword.merge(Keyword.get(opts, :resp_headers, [])) end @@ -316,6 +317,10 @@ defp build_resp_content_disposition_header(headers, opts) do end end + defp build_csp_headers(headers) do + List.keystore(headers, "content-security-policy", 0, {"content-security-policy", "sandbox"}) + end + defp header_length_constraint(headers, limit) when is_integer(limit) and limit > 0 do with {_, size} <- List.keyfind(headers, "content-length", 0), {size, _} <- Integer.parse(size), From 7fb9960ccddfc078be28c1b2716eff07a90fa7b3 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Fri, 26 May 2023 11:46:18 +0100 Subject: [PATCH 2/2] Add CSP to mediaproxy links --- CHANGELOG.md | 3 +++ lib/pleroma/web/plugs/uploaded_media.ex | 2 +- mix.exs | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6dd45e17..97c73a267 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Support for `streams` public key URIs - Bookmarks are cleaned up on DB prune now +## Security +- Fixed mediaproxy being a bit of a silly billy + ## 2023.04 ## Added diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex index 72f20e8de..cccbfe350 100644 --- a/lib/pleroma/web/plugs/uploaded_media.ex +++ b/lib/pleroma/web/plugs/uploaded_media.ex @@ -42,7 +42,7 @@ def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do conn -> conn end - |> merge_resp_headers([{"content-security-policy", "sandbox"}]) + |> merge_resp_headers([{"content-security-policy", "script-src none"}]) config = Pleroma.Config.get(Pleroma.Upload) diff --git a/mix.exs b/mix.exs index 11fc15639..b74f568c8 100644 --- a/mix.exs +++ b/mix.exs @@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("3.9.0"), + version: version("3.9.1"), elixir: "~> 1.14", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix] ++ Mix.compilers(),