Add SslSchema config setting.
Reject URL usernames on registration. Reduce length of char variable name.
This commit is contained in:
parent
0f75e96a2d
commit
142359ce11
|
@ -12,7 +12,7 @@ import (
|
|||
|
||||
func SendActivationEmail(username string, email string, token string) error {
|
||||
schema := "http"
|
||||
if Site.EnableSsl {
|
||||
if Config.SslSchema {
|
||||
schema += "s"
|
||||
}
|
||||
// TODO: Move these to the phrase system
|
||||
|
@ -23,7 +23,7 @@ func SendActivationEmail(username string, email string, token string) error {
|
|||
|
||||
func SendValidationEmail(username string, email string, token string) error {
|
||||
schema := "http"
|
||||
if Site.EnableSsl {
|
||||
if Config.SslSchema {
|
||||
schema += "s"
|
||||
}
|
||||
r := func(body *string) func(name, val string) {
|
||||
|
|
|
@ -872,7 +872,7 @@ func parseMediaString(data string) (media MediaEmbed, ok bool) {
|
|||
host = strings.Split(Site.URL, ":")[0]
|
||||
// ?- Test this as I'm not sure it'll do what it should. If someone's running SSL on port 80 or non-SSL on port 443 then... Well... They're in far worse trouble than this...
|
||||
port = Site.Port
|
||||
if Site.EnableSsl {
|
||||
if Config.SslSchema {
|
||||
scheme = "https"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -293,7 +293,7 @@ func preRoute(w http.ResponseWriter, r *http.Request) (User, bool) {
|
|||
|
||||
// TODO: Add a config setting to disable this header
|
||||
// TODO: Have this header cover more things
|
||||
if Site.EnableSsl {
|
||||
if Config.SslSchema {
|
||||
w.Header().Set("Content-Security-Policy", "upgrade-insecure-requests")
|
||||
}
|
||||
|
||||
|
|
|
@ -99,6 +99,7 @@ type config struct {
|
|||
//LooseCSP bool
|
||||
LooseHost bool
|
||||
LoosePort bool
|
||||
SslSchema bool // Pretend we're using SSL, might be useful if a reverse-proxy terminates SSL in-front of Gosora
|
||||
DisableServerPush bool
|
||||
EnableCDNPush bool
|
||||
DisableNoavatarRange bool
|
||||
|
@ -174,6 +175,9 @@ func ProcessConfig() (err error) {
|
|||
Site.URL = strings.TrimSuffix(Site.URL, ":")
|
||||
Site.URL = Site.URL + ":" + Site.Port
|
||||
}
|
||||
if Site.EnableSsl {
|
||||
Config.SslSchema = Site.EnableSsl
|
||||
}
|
||||
if Config.DefaultPath == "" {
|
||||
Config.DefaultPath = "/topics/"
|
||||
}
|
||||
|
|
|
@ -808,7 +808,7 @@ func (r *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||
// TODO: Abstract the redirect logic?
|
||||
w.Header().Set("Connection", "close")
|
||||
var s string
|
||||
if c.Site.EnableSsl {
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
var p string
|
||||
|
@ -833,8 +833,8 @@ func (r *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||
}
|
||||
|
||||
// TODO: Cover more suspicious strings and at a lower layer than this
|
||||
for _, char := range req.URL.Path {
|
||||
if char != '&' && !(char > 44 && char < 58) && char != '=' && char != '?' && !(char > 64 && char < 91) && char != '\\' && char != '_' && !(char > 96 && char < 123) {
|
||||
for _, ch := range req.URL.Path { //char
|
||||
if ch != '&' && !(ch > 44 && ch < 58) && ch != '=' && ch != '?' && !(ch > 64 && ch < 91) && ch != '\\' && ch != '_' && !(ch > 96 && ch < 123) {
|
||||
r.SuspiciousRequest(req,"Bad char in path")
|
||||
break
|
||||
}
|
||||
|
@ -869,7 +869,7 @@ func (r *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||
h.Set("X-Frame-Options", "deny")
|
||||
h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing
|
||||
h.Set("X-Content-Type-Options", "nosniff")
|
||||
if c.Config.RefNoRef || !c.Site.EnableSsl {
|
||||
if c.Config.RefNoRef || !c.Config.SslSchema {
|
||||
h.Set("Referrer-Policy","no-referrer")
|
||||
} else {
|
||||
h.Set("Referrer-Policy","strict-origin")
|
||||
|
|
|
@ -97,6 +97,7 @@
|
|||
"register_need_username":"You didn't put in a username.",
|
||||
"register_need_email":"You didn't put in an email.",
|
||||
"register_first_word_numeric":"The first word of your name must not be purely numeric",
|
||||
"register_url_username":"You cannot have a URL within your username",
|
||||
"register_suspicious_email":"Your email address is suspicious.",
|
||||
"register_password_mismatch":"The two passwords don't match.",
|
||||
"register_username_unavailable":"This username isn't available. Try another.",
|
||||
|
|
|
@ -202,12 +202,12 @@ func TestParser(t *testing.T) {
|
|||
l.Add("//"+url+"\n//"+url, eurl+"<br>"+eurl)
|
||||
l.Add("//"+url+"\n\n//"+url, eurl+"<br><br>"+eurl)
|
||||
|
||||
pre2 := c.Site.EnableSsl
|
||||
c.Site.EnableSsl = true
|
||||
pre2 := c.Config.SslSchema
|
||||
c.Config.SslSchema = true
|
||||
local := func(u string) {
|
||||
s := "//" + c.Site.URL
|
||||
fs := "http://" + c.Site.URL
|
||||
if c.Site.EnableSsl {
|
||||
if c.Config.SslSchema {
|
||||
s = "https:" + s
|
||||
fs = "https://" + c.Site.URL
|
||||
}
|
||||
|
@ -301,13 +301,13 @@ func TestParser(t *testing.T) {
|
|||
break
|
||||
}
|
||||
}
|
||||
c.Site.EnableSsl = pre2
|
||||
c.Config.SslSchema = pre2
|
||||
|
||||
l = &METriList{nil}
|
||||
pre := c.Site.URL // Just in case this is localhost...
|
||||
pre2 = c.Site.EnableSsl
|
||||
pre2 = c.Config.SslSchema
|
||||
c.Site.URL = "example.com"
|
||||
c.Site.EnableSsl = true
|
||||
c.Config.SslSchema = true
|
||||
l.Add("//"+c.Site.URL, "<a href='https://"+c.Site.URL+"'>"+c.Site.URL+"</a>")
|
||||
l.Add("//"+c.Site.URL+"\n", "<a href='https://"+c.Site.URL+"'>"+c.Site.URL+"</a><br>")
|
||||
l.Add("//"+c.Site.URL+"\n//"+c.Site.URL, "<a href='https://"+c.Site.URL+"'>"+c.Site.URL+"</a><br><a href='https://"+c.Site.URL+"'>"+c.Site.URL+"</a>")
|
||||
|
@ -323,7 +323,7 @@ func TestParser(t *testing.T) {
|
|||
}
|
||||
}
|
||||
c.Site.URL = pre
|
||||
c.Site.EnableSsl = pre2
|
||||
c.Config.SslSchema = pre2
|
||||
|
||||
c.AddHashLinkType("nnid-", func(sb *strings.Builder, msg string, i *int) {
|
||||
tid, intLen := c.CoerceIntString(msg[*i:])
|
||||
|
|
|
@ -531,7 +531,7 @@ func (r *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||
// TODO: Abstract the redirect logic?
|
||||
w.Header().Set("Connection", "close")
|
||||
var s string
|
||||
if c.Site.EnableSsl {
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
var p string
|
||||
|
@ -556,8 +556,8 @@ func (r *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||
}
|
||||
|
||||
// TODO: Cover more suspicious strings and at a lower layer than this
|
||||
for _, char := range req.URL.Path {
|
||||
if char != '&' && !(char > 44 && char < 58) && char != '=' && char != '?' && !(char > 64 && char < 91) && char != '\\' && char != '_' && !(char > 96 && char < 123) {
|
||||
for _, ch := range req.URL.Path { //char
|
||||
if ch != '&' && !(ch > 44 && ch < 58) && ch != '=' && ch != '?' && !(ch > 64 && ch < 91) && ch != '\\' && ch != '_' && !(ch > 96 && ch < 123) {
|
||||
r.SuspiciousRequest(req,"Bad char in path")
|
||||
break
|
||||
}
|
||||
|
@ -592,7 +592,7 @@ func (r *GenRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||
h.Set("X-Frame-Options", "deny")
|
||||
h.Set("X-XSS-Protection", "1; mode=block") // TODO: Remove when we add a CSP? CSP's are horrendously glitchy things, tread with caution before removing
|
||||
h.Set("X-Content-Type-Options", "nosniff")
|
||||
if c.Config.RefNoRef || !c.Site.EnableSsl {
|
||||
if c.Config.RefNoRef || !c.Config.SslSchema {
|
||||
h.Set("Referrer-Policy","no-referrer")
|
||||
} else {
|
||||
h.Set("Referrer-Policy","strict-origin")
|
||||
|
|
|
@ -235,6 +235,9 @@ func AccountRegisterSubmit(w http.ResponseWriter, r *http.Request, user c.User)
|
|||
if isNumeric(nameBits[0]) {
|
||||
regError(p.GetErrorPhrase("register_first_word_numeric"), "numeric-name")
|
||||
}
|
||||
if strings.Contains(name,"http://") || strings.Contains(name,"https://") || strings.Contains(name,"ftp://") || strings.Contains(name,"ssh://") {
|
||||
regError(p.GetErrorPhrase("register_url_username"), "url-name")
|
||||
}
|
||||
|
||||
// TODO: Add a dedicated function for validating emails
|
||||
email := c.SanitiseSingleLine(r.PostFormValue("email"))
|
||||
|
@ -807,12 +810,12 @@ func AccountPasswordResetSubmit(w http.ResponseWriter, r *http.Request, user c.U
|
|||
return c.InternalError(err, w, r)
|
||||
}
|
||||
|
||||
var schema string
|
||||
if c.Site.EnableSsl {
|
||||
schema = "s"
|
||||
var s string
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
|
||||
err = c.SendEmail(tuser.Email, p.GetTmplPhrase("password_reset_subject"), p.GetTmplPhrasef("password_reset_body", tuser.Name, "http"+schema+"://"+c.Site.URL+"/accounts/password-reset/token/?uid="+strconv.Itoa(tuser.ID)+"&token="+token))
|
||||
err = c.SendEmail(tuser.Email, p.GetTmplPhrase("password_reset_subject"), p.GetTmplPhrasef("password_reset_body", tuser.Name, "http"+s+"://"+c.Site.URL+"/accounts/password-reset/token/?uid="+strconv.Itoa(tuser.ID)+"&token="+token))
|
||||
if err != nil {
|
||||
return c.LocalError(p.GetErrorPhrase("password_reset_email_fail"), w, r, user)
|
||||
}
|
||||
|
|
|
@ -33,13 +33,13 @@ func writeXMLHeader(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
// TODO: Keep track of when a sitemap was last modifed and add a lastmod element for it
|
||||
func SitemapXml(w http.ResponseWriter, r *http.Request) c.RouteError {
|
||||
var sslBit string
|
||||
if c.Site.EnableSsl {
|
||||
sslBit = "s"
|
||||
var s string
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
sitemapItem := func(path string) {
|
||||
w.Write([]byte(`<sitemap>
|
||||
<loc>http` + sslBit + `://` + c.Site.URL + "/" + path + `</loc>
|
||||
<loc>http` + s + `://` + c.Site.URL + "/" + path + `</loc>
|
||||
</sitemap>
|
||||
`))
|
||||
}
|
||||
|
@ -95,13 +95,13 @@ func sitemapSwitch(w http.ResponseWriter, r *http.Request) c.RouteError {
|
|||
}
|
||||
|
||||
func SitemapForums(w http.ResponseWriter, r *http.Request) c.RouteError {
|
||||
var sslBit string
|
||||
if c.Site.EnableSsl {
|
||||
sslBit = "s"
|
||||
var s string
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
sitemapItem := func(path string) {
|
||||
w.Write([]byte(`<url>
|
||||
<loc>http` + sslBit + `://` + c.Site.URL + path + `</loc>
|
||||
<loc>http` + s + `://` + c.Site.URL + path + `</loc>
|
||||
</url>
|
||||
`))
|
||||
}
|
||||
|
@ -129,13 +129,13 @@ func SitemapForums(w http.ResponseWriter, r *http.Request) c.RouteError {
|
|||
// TODO: Add a global ratelimit. 10 50MB files (smaller if compressed better) per minute?
|
||||
// ? We might have problems with banned users, if they have fewer ViewTopic permissions than guests as they'll be able to see this list. Then again, a banned user could just logout to see it
|
||||
func SitemapTopics(w http.ResponseWriter, r *http.Request) c.RouteError {
|
||||
var sslBit string
|
||||
if c.Site.EnableSsl {
|
||||
sslBit = "s"
|
||||
var s string
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
sitemapItem := func(path string) {
|
||||
w.Write([]byte(`<sitemap>
|
||||
<loc>http` + sslBit + `://` + c.Site.URL + "/" + path + `</loc>
|
||||
<loc>http` + s + `://` + c.Site.URL + "/" + path + `</loc>
|
||||
</sitemap>
|
||||
`))
|
||||
}
|
||||
|
@ -171,13 +171,13 @@ func SitemapTopics(w http.ResponseWriter, r *http.Request) c.RouteError {
|
|||
}
|
||||
|
||||
func SitemapTopic(w http.ResponseWriter, r *http.Request, page int) c.RouteError {
|
||||
/*var sslBit string
|
||||
if c.Site.EnableSsl {
|
||||
sslBit = "s"
|
||||
/*var s string
|
||||
if c.Config.SslSchema {
|
||||
s = "s"
|
||||
}
|
||||
var sitemapItem = func(path string) {
|
||||
w.Write([]byte(`<url>
|
||||
<loc>http` + sslBit + `://` + c.Site.URL + "/" + path + `</loc>
|
||||
<loc>http` + s + `://` + c.Site.URL + "/" + path + `</loc>
|
||||
</url>
|
||||
`))
|
||||
}*/
|
||||
|
@ -254,7 +254,7 @@ func APIMe(w http.ResponseWriter, r *http.Request, user c.User) c.RouteError {
|
|||
|
||||
func OpenSearchXml(w http.ResponseWriter, r *http.Request) c.RouteError {
|
||||
furl := "http"
|
||||
if c.Site.EnableSsl {
|
||||
if c.Config.SslSchema {
|
||||
furl += "s"
|
||||
}
|
||||
furl += "://" + c.Site.URL
|
||||
|
|
|
@ -74,10 +74,11 @@ func ShowAttachment(w http.ResponseWriter, r *http.Request, user c.User, filenam
|
|||
if ferr != nil {
|
||||
return ferr
|
||||
}
|
||||
h := w.Header()
|
||||
if guest.Perms.ViewTopic {
|
||||
w.Header().Set("Cache-Control", "max-age="+strconv.Itoa(int(c.Year)))
|
||||
h.Set("Cache-Control", "max-age="+strconv.Itoa(int(c.Year)))
|
||||
} else {
|
||||
w.Header().Set("Cache-Control", "private")
|
||||
h.Set("Cache-Control", "private")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -99,7 +99,7 @@ func renderTemplate2(tmplName string, hookName string, w http.ResponseWriter, r
|
|||
|
||||
func FootHeaders(w http.ResponseWriter, header *c.Header) {
|
||||
if !header.LooseCSP {
|
||||
if c.Site.EnableSsl {
|
||||
if c.Config.SslSchema {
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self' www.youtube-nocookie.com;upgrade-insecure-requests")
|
||||
} else {
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self' www.youtube-nocookie.com")
|
||||
|
|
|
@ -24,7 +24,7 @@ func successRedirect(dest string, w http.ResponseWriter, r *http.Request, js boo
|
|||
// TODO: Prerender needs to handle dyntmpl templates better...
|
||||
func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, header *c.Header, pi interface{}) c.RouteError {
|
||||
if !header.LooseCSP {
|
||||
if c.Site.EnableSsl {
|
||||
if c.Config.SslSchema {
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self';upgrade-insecure-requests")
|
||||
} else {
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self'")
|
||||
|
|
Loading…
Reference in New Issue