From 67b13c71baea56eeb15532ca1b1377f6da8d18ac Mon Sep 17 00:00:00 2001
From: r <r@freesoftwareextremist.com>
Date: Sun, 15 Oct 2023 15:53:44 +0000
Subject: Use CSP header to restrict resource loading

This helps mitigate XSS exploits.
Users will have to save the settings again to make the custom CSS
work.
---
 service/service.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'service/service.go')

diff --git a/service/service.go b/service/service.go
index 2f87fa3..c925b83 100644
--- a/service/service.go
+++ b/service/service.go
@@ -1,6 +1,8 @@
 package service
 
 import (
+	"crypto/sha256"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"mime/multipart"
@@ -1014,8 +1016,18 @@ func (s *service) SaveSettings(c *client, settings *model.Settings) (err error)
 	default:
 		return errInvalidArgument
 	}
-	if len(settings.CSS) > 1<<20 {
-		return errInvalidArgument
+	if len(settings.CSS) > 0 {
+		if len(settings.CSS) > 1<<20 {
+			return errInvalidArgument
+		}
+		// For some reason, browsers convert CRLF to LF before calculating
+		// the hash of the inline resources.
+		settings.CSS = strings.ReplaceAll(settings.CSS, "\x0d\x0a", "\x0a")
+
+		h := sha256.Sum256([]byte(settings.CSS))
+		settings.CSSHash = base64.StdEncoding.EncodeToString(h[:])
+	} else {
+		settings.CSSHash = ""
 	}
 	c.s.Settings = *settings
 	return c.setSession(c.s)
-- 
cgit v1.2.3