Git-Mirrors/onionshare
1
0
Fork 0
mirror of https://github.com/onionshare/onionshare.git synced 2024-10-01 01:35:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update web.py

Browse Source
This commit is contained in:
whew 2021-05-13 08:17:51 +00:00 committed by GitHub
parent 04fae8ada1
commit ea72440543
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
cli/onionshare_cli/web/web.py
View File

@ -222,6 +222,21 @@ class Web:
return _check_login() return _check_login()
@self.app.after_request
def add_security_headers(r):
"""
Add security headers to a response
"""
for header, value in self.security_headers:
r.headers.set(header, value)
# Set a CSP header unless in website mode and the user has disabled it
if not self.settings.get("website", "disable_csp") or self.mode != "website":
r.headers.set(
"Content-Security-Policy",
"default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
)
return r
@self.app.errorhandler(404) @self.app.errorhandler(404)
def not_found(e): def not_found(e):
mode = self.get_mode() mode = self.get_mode()
@ -267,17 +282,11 @@ class Web:
"Someone has made too many wrong attempts to guess your password, so OnionShare has stopped the server. Start sharing again and send the recipient a new address to share." "Someone has made too many wrong attempts to guess your password, so OnionShare has stopped the server. Start sharing again and send the recipient a new address to share."
) )
r = make_response( return render_template("401.html", static_url_path=self.static_url_path), 401
render_template("401.html", static_url_path=self.static_url_path), 401
)
return self.add_security_headers(r)
def error403(self): def error403(self):
self.add_request(Web.REQUEST_OTHER, request.path) self.add_request(Web.REQUEST_OTHER, request.path)
r = make_response( return render_template("403.html", static_url_path=self.static_url_path), 403
render_template("403.html", static_url_path=self.static_url_path), 403
)
return self.add_security_headers(r)
def error404(self, history_id): def error404(self, history_id):
self.add_request( self.add_request(
@ -287,10 +296,7 @@ class Web:
) )
self.add_request(Web.REQUEST_OTHER, request.path) self.add_request(Web.REQUEST_OTHER, request.path)
r = make_response( return render_template("404.html", static_url_path=self.static_url_path), 404
render_template("404.html", static_url_path=self.static_url_path), 404
)
return self.add_security_headers(r)
def error405(self, history_id): def error405(self, history_id):
self.add_request( self.add_request(
@ -300,24 +306,7 @@ class Web:
) )
self.add_request(Web.REQUEST_OTHER, request.path) self.add_request(Web.REQUEST_OTHER, request.path)
r = make_response( return render_template("405.html", static_url_path=self.static_url_path), 405
render_template("405.html", static_url_path=self.static_url_path), 405
)
return self.add_security_headers(r)
def add_security_headers(self, r):
"""
Add security headers to a request
"""
for header, value in self.security_headers:
r.headers.set(header, value)
# Set a CSP header unless in website mode and the user has disabled it
if not self.settings.get("website", "disable_csp") or self.mode != "website":
r.headers.set(
"Content-Security-Policy",
"default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
)
return r
def _safe_select_jinja_autoescape(self, filename): def _safe_select_jinja_autoescape(self, filename):
if filename is None: if filename is None: