From 36e97f8121a19a7955e666d24a80ea2cf3d0b75a Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Tue, 10 Jan 2023 20:12:32 +0000 Subject: [PATCH] CVE-2023-22735: Set a Content-Security-Policy header on proxied S3 data. This was missed in 04cf68b45ebb5c03247a0d6453e35ffc175d55da; as this content is fundamentally untrusted, it must be served with `Content-Security-Policy` headers in order to be safe. These headers were not provided previously for S3 content because it was served from the S3 domain. This mitigates content served from Zulip which could be a stored XSS, but only in browsers which support Content-Security-Policy headers; see subsequent commit for the complete solution. --- .../files/nginx/zulip-include-frontend/uploads-internal.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf index 41445f1ae9..b7d20c10c1 100644 --- a/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf +++ b/puppet/zulip/files/nginx/zulip-include-frontend/uploads-internal.conf @@ -2,6 +2,7 @@ location ~ ^/internal/s3/(?[^/]+)/(?.*) { internal; include /etc/nginx/zulip-include/headers; + add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;"; # The components of this path are originally double-URI-escaped # (see zerver/view/upload.py). "location" matches are on