Xymon Mailing List Archive search

Proposed patch for broken CSP

list Japheth Cleaver
Fri, 1 Dec 2017 10:23:24 -0800
Message-Id: <user-6d6540fa3ae4@xymon.invalid>

I can confirm that this update fixes the issue on the browsers I've 
tested as well.

Thanks, John for identifying the issue here.
Will be issuing a release update tonight.

Regards,
-jc


On 11/29/2017 4:18 AM, Thomas Eckert wrote:
Sorry for being late to the party.
I can confirm that the proposed patch work w/ 4.3.28 (on Raspbian) and fixes the “cannot use trends-form with Chrome browser”-issue.

Should be applied. JC?

All the best
Thomas

On 13 Nov 2017, at 19:58, John Thurston <user-ce4d79d99bab@xymon.invalid> wrote:

I propose the following patch to correct the broken form submission on the trends page:

--- ./xymon-4.3.28/lib/cgi.c-4.3.28	Thu Mar	3 14:44:55 2016
+++ ./xymon-4.3.28/lib/cgi.c	Mon Nov 13 09:43:38 2017
@@ -275,7 +275,7 @@
	else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
	else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
	else if (strncmp(str, "criticaleditor", 14) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
-	else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts;");
+	else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
	else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin allow-scripts allow-modals allow-popups;");
	else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms allow-same-origin;");
	else if (strncmp(str, "historylog", 10) == 0) csppol = strdup("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox allow-forms;");
Has anyone found other incorrect CSP headers ?

   Do things because you should, not just because you can.

John Thurston    XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska