perso/syncthing-arm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

cmd/syncthing: Add some common security releated HTTP headers (fixes #4360)

Browse Source 
GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4361
This commit is contained in:
Jakob Borg
2017-09-10 08:28:12 +00:00
committed by Audrius Butkevicius
parent e85ce7c94e
commit 429cc20eb7
3 changed files with 40 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/syncthing/gui.go
+23 -2
View File
@@ -332,7 +332,7 @@ func (s *apiService) Serve() {
} }
// Add the CORS handling // Add the CORS handling
handler = corsMiddleware(handler) handler = corsMiddleware(handler, guiCfg.InsecureAllowFrameLoading)
if addressIsLocalhost(guiCfg.Address()) && !guiCfg.InsecureSkipHostCheck { if addressIsLocalhost(guiCfg.Address()) && !guiCfg.InsecureSkipHostCheck {
// Verify source host // Verify source host
@@ -459,7 +459,7 @@ func debugMiddleware(h http.Handler) http.Handler {
}) })
} }
func corsMiddleware(next http.Handler) http.Handler { func corsMiddleware(next http.Handler, allowFrameLoading bool) http.Handler {
// Handle CORS headers and CORS OPTIONS request. // Handle CORS headers and CORS OPTIONS request.
// CORS OPTIONS request are typically sent by browser during AJAX preflight // CORS OPTIONS request are typically sent by browser during AJAX preflight
// when the browser initiate a POST request. // when the browser initiate a POST request.
@@ -486,6 +486,27 @@ func corsMiddleware(next http.Handler) http.Handler {
return return
} }
// Other security related headers that should be present.
// https://www.owasp.org/index.php/Security_Headers
if !allowFrameLoading {
// We don't want to be rendered in an <iframe>,
// <frame> or <object>. (Unless we do it ourselves.
// This is also an escape hatch for people who serve
// Syncthing GUI as part of their own website
// through a proxy, so they don't need to set the
// allowFrameLoading bool.)
w.Header().Set("X-Frame-Options", "SAMEORIGIN")
}
// If the browser senses an XSS attack it's allowed to take
// action. (How this would not always be the default I
// don't fully understand.)
w.Header().Set("X-XSS-Protection", "1; mode=block")
// Our content type headers are correct. Don't guess.
w.Header().Set("X-Content-Type-Options", "nosniff")
// For everything else, pass to the next handler // For everything else, pass to the next handler
next.ServeHTTP(w, r) next.ServeHTTP(w, r)
return return
cmd/syncthing/gui_statics.go
+6 -6
View File
@@ -141,17 +141,17 @@ func (s *staticsServer) serveThemes(w http.ResponseWriter, r *http.Request) {
func (s *staticsServer) mimeTypeForFile(file string) string { func (s *staticsServer) mimeTypeForFile(file string) string {
// We use a built in table of the common types since the system // We use a built in table of the common types since the system
// TypeByExtension might be unreliable. But if we don't know, we delegate // TypeByExtension might be unreliable. But if we don't know, we delegate
// to the system. // to the system. All our files are UTF-8.
ext := filepath.Ext(file) ext := filepath.Ext(file)
switch ext { switch ext {
case ".htm", ".html": case ".htm", ".html":
return "text/html" return "text/html; charset=utf-8"
case ".css": case ".css":
return "text/css" return "text/css; charset=utf-8"
case ".js": case ".js":
return "application/javascript" return "application/javascript; charset=utf-8"
case ".json": case ".json":
return "application/json" return "application/json; charset=utf-8"
case ".png": case ".png":
return "image/png" return "image/png"
case ".ttf": case ".ttf":
@@ -159,7 +159,7 @@ func (s *staticsServer) mimeTypeForFile(file string) string {
case ".woff": case ".woff":
return "application/x-font-woff" return "application/x-font-woff"
case ".svg": case ".svg":
return "image/svg+xml" return "image/svg+xml; charset=utf-8"
default: default:
return mime.TypeByExtension(ext) return mime.TypeByExtension(ext)
} }
lib/config/guiconfiguration.go
+11 -10
View File
@@ -13,16 +13,17 @@ import (
) )
type GUIConfiguration struct { type GUIConfiguration struct {
Enabled bool `xml:"enabled,attr" json:"enabled" default:"true"` Enabled bool `xml:"enabled,attr" json:"enabled" default:"true"`
RawAddress string `xml:"address" json:"address" default:"127.0.0.1:8384"` RawAddress string `xml:"address" json:"address" default:"127.0.0.1:8384"`
User string `xml:"user,omitempty" json:"user"` User string `xml:"user,omitempty" json:"user"`
Password string `xml:"password,omitempty" json:"password"` Password string `xml:"password,omitempty" json:"password"`
RawUseTLS bool `xml:"tls,attr" json:"useTLS"` RawUseTLS bool `xml:"tls,attr" json:"useTLS"`
APIKey string `xml:"apikey,omitempty" json:"apiKey"` APIKey string `xml:"apikey,omitempty" json:"apiKey"`
InsecureAdminAccess bool `xml:"insecureAdminAccess,omitempty" json:"insecureAdminAccess"` InsecureAdminAccess bool `xml:"insecureAdminAccess,omitempty" json:"insecureAdminAccess"`
Theme string `xml:"theme" json:"theme" default:"default"` Theme string `xml:"theme" json:"theme" default:"default"`
Debugging bool `xml:"debugging,attr" json:"debugging"` Debugging bool `xml:"debugging,attr" json:"debugging"`
InsecureSkipHostCheck bool `xml:"insecureSkipHostcheck,omitempty" json:"insecureSkipHostcheck"` InsecureSkipHostCheck bool `xml:"insecureSkipHostcheck,omitempty" json:"insecureSkipHostcheck"`
InsecureAllowFrameLoading bool `xml:"insecureAllowFrameLoading,omitempty" json:"insecureAllowFrameLoading"`
} }
func (c GUIConfiguration) Address() string { func (c GUIConfiguration) Address() string {