diff options
author | r <r@freesoftwareextremist.com> | 2023-10-15 15:53:44 +0000 |
---|---|---|
committer | r <r@freesoftwareextremist.com> | 2023-10-15 15:53:44 +0000 |
commit | 67b13c71baea56eeb15532ca1b1377f6da8d18ac (patch) | |
tree | c10bc1f71e283b431076fd376acf170906fa0188 /service/service.go | |
parent | ed521dd33d0d002c577a75e349136fed25b7fda5 (diff) | |
download | bloat-67b13c71baea56eeb15532ca1b1377f6da8d18ac.tar.gz bloat-67b13c71baea56eeb15532ca1b1377f6da8d18ac.zip |
Use CSP header to restrict resource loading
This helps mitigate XSS exploits.
Users will have to save the settings again to make the custom CSS
work.
Diffstat (limited to 'service/service.go')
-rw-r--r-- | service/service.go | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/service/service.go b/service/service.go index 2f87fa3..c925b83 100644 --- a/service/service.go +++ b/service/service.go @@ -1,6 +1,8 @@ package service import ( + "crypto/sha256" + "encoding/base64" "errors" "fmt" "mime/multipart" @@ -1014,8 +1016,18 @@ func (s *service) SaveSettings(c *client, settings *model.Settings) (err error) default: return errInvalidArgument } - if len(settings.CSS) > 1<<20 { - return errInvalidArgument + if len(settings.CSS) > 0 { + if len(settings.CSS) > 1<<20 { + return errInvalidArgument + } + // For some reason, browsers convert CRLF to LF before calculating + // the hash of the inline resources. + settings.CSS = strings.ReplaceAll(settings.CSS, "\x0d\x0a", "\x0a") + + h := sha256.Sum256([]byte(settings.CSS)) + settings.CSSHash = base64.StdEncoding.EncodeToString(h[:]) + } else { + settings.CSSHash = "" } c.s.Settings = *settings return c.setSession(c.s) |