Git-Mirrors/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2025-01-25 22:15:57 -05:00
Code Issues Packages Projects Releases Wiki Activity

add Content-Security-Policy so if there are other xss vulns they won't execute

Browse Source
This commit is contained in:
Micah Lee 2014-07-16 02:19:22 -07:00
parent 7a05516a65
commit 542cec15c6
1 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
onionshare_gui/webapp.py
View File

@ -1,4 +1,5 @@
from flask import Flask, render_template from flask import Flask, render_template, make_response
from functools import wraps
import threading, json, os, time, platform, sys import threading, json, os, time, platform, sys
onionshare = None onionshare = None
@ -26,11 +27,36 @@ def debug_mode():
log_handler.setLevel(logging.WARNING) log_handler.setLevel(logging.WARNING)
app.logger.addHandler(log_handler) app.logger.addHandler(log_handler)
def add_response_headers(headers={}):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
resp = make_response(f(*args, **kwargs))
h = resp.headers
for header, value in headers.items():
h[header] = value
return resp
return decorated_function
return decorator
def csp(f):
@wraps(f)
# disable inline js, external js
@add_response_headers({'Content-Security-Policy': "default-src 'self'; connect-src 'self'"})
# ugh, webkit embedded in Qt4 is stupid old
# TODO: remove webkit, build GUI with normal Qt widgets
@add_response_headers({'X-WebKit-CSP': "default-src 'self'; connect-src 'self'"})
def decorated_function(*args, **kwargs):
return f(*args, **kwargs)
return decorated_function
@app.route("/") @app.route("/")
@csp
def index(): def index():
return render_template('index.html') return render_template('index.html')
@app.route("/init_info") @app.route("/init_info")
@csp
def init_info(): def init_info():
global onionshare, filename, stay_open global onionshare, filename, stay_open
basename = os.path.basename(filename) basename = os.path.basename(filename)
@ -42,6 +68,7 @@ def init_info():
}) })
@app.route("/start_onionshare") @app.route("/start_onionshare")
@csp
def start_onionshare(): def start_onionshare():
global onionshare, onionshare_port, filename, onion_host, url global onionshare, onionshare_port, filename, onion_host, url
@ -62,6 +89,7 @@ def start_onionshare():
}) })
@app.route("/copy_url") @app.route("/copy_url")
@csp
def copy_url(): def copy_url():
if platform.system() == 'Windows': if platform.system() == 'Windows':
# Qt's QClipboard isn't working in Windows # Qt's QClipboard isn't working in Windows
@ -82,16 +110,19 @@ def copy_url():
return '' return ''
@app.route("/stay_open_true") @app.route("/stay_open_true")
@csp
def stay_open_true(): def stay_open_true():
global onionshare global onionshare
onionshare.set_stay_open(True) onionshare.set_stay_open(True)
@app.route("/stay_open_false") @app.route("/stay_open_false")
@csp
def stay_open_false(): def stay_open_false():
global onionshare global onionshare
onionshare.set_stay_open(False) onionshare.set_stay_open(False)
@app.route("/heartbeat") @app.route("/heartbeat")
@csp
def check_for_requests(): def check_for_requests():
global onionshare global onionshare
events = [] events = []
@ -107,6 +138,7 @@ def check_for_requests():
return json.dumps(events) return json.dumps(events)
@app.route("/close") @app.route("/close")
@csp
def close(): def close():
global qtapp global qtapp
time.sleep(1) time.sleep(1)