Merge branch '17298-wiki-xss' into 'master'
Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
This commit is contained in:
commit
c6ed8edf8e
|
@ -16,6 +16,9 @@ class Projects::WikisController < Projects::ApplicationController
|
|||
if @page
|
||||
render 'show'
|
||||
elsif file = @project_wiki.find_file(params[:id], params[:version_id])
|
||||
response.headers['Content-Security-Policy'] = "default-src 'none'"
|
||||
response.headers['X-Content-Security-Policy'] = "default-src 'none'"
|
||||
|
||||
if file.on_disk?
|
||||
send_file file.on_disk_path, disposition: 'inline'
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue