Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CVE-2023-22735: Set a Content-Security-Policy header on proxied S3 data. 

This was missed in 04cf68b45ebb5c03247a0d6453e35ffc175d55da; as this
content is fundamentally untrusted, it must be served with
`Content-Security-Policy` headers in order to be safe.  These headers
were not provided previously for S3 content because it was served from
the S3 domain.

This mitigates content served from Zulip which could be a stored XSS,
but only in browsers which support Content-Security-Policy headers;
see subsequent commit for the complete solution.
This commit is contained in:
Alex Vandiver 2023-01-10 20:12:32 +00:00
parent d41a00b83b
commit 36e97f8121
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf
View File

@ -2,6 +2,7 @@
location ~ ^/internal/s3/(?<s3_hostname>[^/]+)/(?<s3_path>.*) {
internal;
include /etc/nginx/zulip-include/headers;
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
# The components of this path are originally double-URI-escaped
# (see zerver/view/upload.py). "location" matches are on