Skip to content
Extraits de code Groupes Projets
Valider 9c6d1e3f rédigé par robocoder's avatar robocoder
Parcourir les fichiers

fixes #1679 - clickjacking countermeasures 

There are two aspects of this patch:
 * header.tpl - framebuster code
 * Controller.php - set the "X-Frame-Options: deny" header in the HTTP response


git-svn-id: http://dev.piwik.org/svn/trunk@3267 59fd770c-687e-43c8-a1e3-f5a4ff64c105
parent 9323696d
Aucune branche associée trouvée
Aucune étiquette associée trouvée
Aucune requête de fusion associée trouvée
Masquer les modifications d'espaces
En ligne Côte à côte
core/View.php
+ 22
3
Voir le fichier @ 9c6d1e3f
...@@ -35,6 +35,7 @@ class Piwik_View implements Piwik_iView ...@@ -35,6 +35,7 @@ class Piwik_View implements Piwik_iView
private $smarty = false; private $smarty = false;
private $variables = array(); private $variables = array();
private $contentType = 'text/html; charset=utf-8'; private $contentType = 'text/html; charset=utf-8';
private $xFrameOptions = null;
public function __construct( $templateFile, $smConf = array(), $filter = true ) public function __construct( $templateFile, $smConf = array(), $filter = true )
{ {
...@@ -154,14 +155,19 @@ class Piwik_View implements Piwik_iView ...@@ -154,14 +155,19 @@ class Piwik_View implements Piwik_iView
} }
@header('Content-Type: '.$this->contentType); @header('Content-Type: '.$this->contentType);
@header("Pragma: "); @header('Pragma: ');
@header("Cache-Control: no-store, must-revalidate"); @header('Cache-Control: no-store, must-revalidate');
if($this->xFrameOptions)
{
@header('X-Frame-Options: '.$this->xFrameOptions);
}
return $this->smarty->fetch($this->template); return $this->smarty->fetch($this->template);
} }
/** /**
* Set Content-Type field in HTTP response * Set Content-Type field in HTTP response.
* Since PHP 5.1.2, header() protects against header injection attacks.
* *
* @param string $contentType * @param string $contentType
*/ */
...@@ -170,6 +176,19 @@ class Piwik_View implements Piwik_iView ...@@ -170,6 +176,19 @@ class Piwik_View implements Piwik_iView
$this->contentType = $contentType; $this->contentType = $contentType;
} }
/**
* Set X-Frame-Options field in the HTTP response.
*
* @param string $option ('deny' or 'sameorigin')
*/
public function setXFrameOptions( $option = 'deny' )
{
if($option == 'deny' || $option == 'sameorigin')
{
$this->xFrameOptions = $option;
}
}
/** /**
* Add form to view * Add form to view
* *
......
plugins/Login/Controller.php
+ 3
0
Voir le fichier @ 9c6d1e3f
...@@ -67,6 +67,7 @@ class Piwik_Login_Controller extends Piwik_Controller ...@@ -67,6 +67,7 @@ class Piwik_Login_Controller extends Piwik_Controller
$view->linkTitle = Piwik::getRandomTitle(); $view->linkTitle = Piwik::getRandomTitle();
$view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login; $view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login;
$view->addForm( $form ); $view->addForm( $form );
$view->setXFrameOptions('deny');
echo $view->render(); echo $view->render();
} }
...@@ -142,6 +143,7 @@ class Piwik_Login_Controller extends Piwik_Controller ...@@ -142,6 +143,7 @@ class Piwik_Login_Controller extends Piwik_Controller
$view->linkTitle = Piwik::getRandomTitle(); $view->linkTitle = Piwik::getRandomTitle();
$view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login; $view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login;
$view->addForm( $form ); $view->addForm( $form );
$view->setXFrameOptions('deny');
echo $view->render(); echo $view->render();
} }
...@@ -226,6 +228,7 @@ class Piwik_Login_Controller extends Piwik_Controller ...@@ -226,6 +228,7 @@ class Piwik_Login_Controller extends Piwik_Controller
$view->linkTitle = Piwik::getRandomTitle(); $view->linkTitle = Piwik::getRandomTitle();
$view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login; $view->forceSslLogin = Zend_Registry::get('config')->General->force_ssl_login;
$view->addForm( $form ); $view->addForm( $form );
$view->setXFrameOptions('deny');
echo $view->render(); echo $view->render();
} }
......
plugins/Login/templates/header.tpl
+ 33
20
Voir le fichier @ 9c6d1e3f
...@@ -6,32 +6,45 @@ ...@@ -6,32 +6,45 @@
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="plugins/CoreHome/templates/images/favicon.ico" /> <link rel="shortcut icon" href="plugins/CoreHome/templates/images/favicon.ico" />
<link rel="stylesheet" type="text/css" href="plugins/Login/templates/login.css" /> <link rel="stylesheet" type="text/css" href="plugins/Login/templates/login.css" />
{literal}
<style>body { display : none; }</style>
{/literal}
{if $forceSslLogin} {if $forceSslLogin}
{literal} {literal}
<script> <script>
if(window.location.protocol !== 'https:') { if(window.location.protocol !== 'https:') {
var url = window.location.toString(); var url = window.location.toString();
url = url.replace(/^http:/, 'https:'); url = url.replace(/^http:/, 'https:');
window.location.replace(url); window.location.replace(url);
} }
</script> </script>
{/literal} {/literal}
{/if} {/if}
{literal} {literal}
<script type="text/javascript"> <script type="text/javascript">
function focusit() { function focusit() {
var formLogin = document.getElementById('form_login'); var formLogin = document.getElementById('form_login');
if(formLogin) if(formLogin)
{ {
formLogin.focus(); formLogin.focus();
} }
} }
window.onload = focusit; window.onload = focusit;
</script> </script>
{/literal} {/literal}
<script type="text/javascript" src="libs/jquery/jquery.js"></script> <script type="text/javascript" src="libs/jquery/jquery.js"></script>
</head> </head>
<body class="login"> <body class="login">
<div id="logo"> {literal}
<a href="http://piwik.org" title="{$linkTitle}"><span class="h1"><span style="color: rgb(245, 223, 114);">P</span><span style="color: rgb(241, 175, 108);">i</span><span style="color: rgb(241, 117, 117);">w</span><span style="color: rgb(155, 106, 58);">i</span><span style="color: rgb(107, 50, 11);">k</span> <span class="description"># {'General_OpenSourceWebAnalytics'|translate}</span></span></a> <script type="text/javascript">
</div> if(self == top) {
var theBody = document.getElementsByTagName('body')[0];
theBody.style.display = 'block';
} else {
top.location = self.location;
}
</script>
{/literal}
<div id="logo">
<a href="http://piwik.org" title="{$linkTitle}"><span class="h1"><span style="color: rgb(245, 223, 114);">P</span><span style="color: rgb(241, 175, 108);">i</span><span style="color: rgb(241, 117, 117);">w</span><span style="color: rgb(155, 106, 58);">i</span><span style="color: rgb(107, 50, 11);">k</span> <span class="description"># {'General_OpenSourceWebAnalytics'|translate}</span></span></a>
</div>
0% ou .
You are about to add 0 people to the discussion. Proceed with caution.
Veuillez vous inscrire ou vous pour commenter