From 4746d9eb801003712d4cd5065df1fefc1fb6e527 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sat, 26 Jul 2014 11:01:16 +0000
Subject: [PATCH] Fix CSP to allow inline style and refresh Add filter to all
webapps
---
apps/addressbook/web.xml | 9 +++++++++
.../java/src/org/klomp/snark/web/I2PSnarkServlet.java | 2 +-
apps/i2psnark/web.xml | 9 +++++++++
apps/i2ptunnel/jsp/edit.jsp | 2 +-
apps/i2ptunnel/jsp/index.jsp | 2 +-
apps/i2ptunnel/jsp/web.xml | 9 +++++++++
apps/i2ptunnel/jsp/wizard.jsp | 2 +-
apps/routerconsole/jsp/css.jsi | 2 +-
apps/susidns/src/WEB-INF/web-template.xml | 9 +++++++++
apps/susidns/src/jsp/config.jsp | 2 +-
apps/susidns/src/jsp/details.jsp | 2 +-
apps/susidns/src/jsp/index.jsp | 2 +-
apps/susidns/src/jsp/subscriptions.jsp | 2 +-
apps/susimail/src/WEB-INF/web.xml | 9 +++++++++
apps/susimail/src/src/i2p/susi/webmail/WebMail.java | 2 +-
router/java/src/net/i2p/router/RouterVersion.java | 2 +-
16 files changed, 56 insertions(+), 11 deletions(-)
diff --git a/apps/addressbook/web.xml b/apps/addressbook/web.xml
index b791b4ea0e..1aebb0d096 100644
--- a/apps/addressbook/web.xml
+++ b/apps/addressbook/web.xml
@@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<servlet>
<servlet-name>addressbook</servlet-name>
<servlet-class>net.i2p.addressbook.Servlet</servlet-class>
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 1393238a3c..75aa762856 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -159,7 +159,7 @@ public class I2PSnarkServlet extends BasicServlet {
// this is the part after /i2psnark
String path = req.getServletPath();
resp.setHeader("X-Frame-Options", "SAMEORIGIN");
- resp.setHeader("Content-Security-Policy", "default-src 'self'");
+ resp.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
resp.setHeader("X-XSS-Protection", "1; mode=block");
String peerParam = req.getParameter("p");
diff --git a/apps/i2psnark/web.xml b/apps/i2psnark/web.xml
index 2925ff00e3..68e6abd641 100644
--- a/apps/i2psnark/web.xml
+++ b/apps/i2psnark/web.xml
@@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<servlet>
<servlet-name>org.klomp.snark.web.I2PSnarkServlet</servlet-name>
<servlet-class>org.klomp.snark.web.I2PSnarkServlet</servlet-class>
diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp
index bbe562eef0..08b07c7a59 100644
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -2,7 +2,7 @@
// NOTE: Do the header carefully so there is no whitespace before the <?xml... line
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"
diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp
index 8a401d68b7..f1117a272a 100644
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"
diff --git a/apps/i2ptunnel/jsp/web.xml b/apps/i2ptunnel/jsp/web.xml
index d8d51c8239..1fd11c13d8 100644
--- a/apps/i2ptunnel/jsp/web.xml
+++ b/apps/i2ptunnel/jsp/web.xml
@@ -4,6 +4,15 @@
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<!-- precompiled servlets -->
<!-- yeah we could do this in a handler but this is easier -->
diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp
index b885b5afe6..0749bb54ab 100644
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@@ -6,7 +6,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%><%@page pageEncoding="UTF-8"
diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index a9446b037c..50c70d875c 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -32,7 +32,7 @@
// clickjacking
if (intl.shouldSendXFrame()) {
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
}
diff --git a/apps/susidns/src/WEB-INF/web-template.xml b/apps/susidns/src/WEB-INF/web-template.xml
index 912be2f4cc..599826246b 100644
--- a/apps/susidns/src/WEB-INF/web-template.xml
+++ b/apps/susidns/src/WEB-INF/web-template.xml
@@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<display-name>susidns</display-name>
<!-- precompiled servlets -->
diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp
index 1a9fb918d1..6a650d3f5d 100644
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp
index cc0ba4df64..9334e43ca7 100644
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@@ -25,7 +25,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp
index 8c50f66740..505beeec7f 100644
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp
index 002687003c..db588c6a8d 100644
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@@ -28,7 +28,7 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
diff --git a/apps/susimail/src/WEB-INF/web.xml b/apps/susimail/src/WEB-INF/web.xml
index 75aa1fd484..23adde2d5b 100644
--- a/apps/susimail/src/WEB-INF/web.xml
+++ b/apps/susimail/src/WEB-INF/web.xml
@@ -3,6 +3,15 @@
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
+ <filter>
+ <filter-name>XSSFilter</filter-name>
+ <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<display-name>susimail</display-name>
<servlet>
<servlet-name>SusiMail</servlet-name>
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index a9391efc43..b67dbdfb80 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -1562,7 +1562,7 @@ public class WebMail extends HttpServlet
httpRequest.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
- response.setHeader("Content-Security-Policy", "default-src 'self'");
+ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'");
response.setHeader("X-XSS-Protection", "1; mode=block");
RequestWrapper request = new RequestWrapper( httpRequest );
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 78754ef283..601535dbe6 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 20;
+ public final static long BUILD = 21;
/** for example "-test" */
public final static String EXTRA = "-rc";
--
GitLab