Original release 20160919

[fex.git] / lib / fex.pp

diff --git a/lib/fex.pp b/lib/fex.pp
index be911d2fd9f70b67263bec01bd85b4b92d41dfc0..177babac657e927a0cb175aa3d5785bb6363beae 100644 (file)
--- a/lib/fex.pp
+++ b/lib/fex.pp
@@ -62,6 +62,18 @@ $fop_auth = 0;
 $mail_authid = 'yes';
 $force_https = 0;
 $debug = 0;
+@forbidden_user_agents = ('FDM');
+
+# https://securityheaders.io/
+# https://scotthelme.co.uk/hardening-your-http-response-headers/
+# http://content-security-policy.com/
+@extra_header = (
+  # "Content-Security-Policy: sandbox allow-forms allow-scripts",
+  "Content-Security-Policy: script-src 'self' 'unsafe-inline'",
+  "X-Frame-Options: SAMEORIGIN",
+  "X-XSS-Protection: 1; mode=block",
+  "X-Content-Type-Options: nosniff",
+);
 
 $FHS = -f '/etc/fex/fex.ph' and -d '/usr/share/fex/lib';
 # Debian FHS
@@ -113,6 +125,7 @@ http_die("cannot determine the server hostname") unless $hostname;
 
 $ENV{PROTO} = 'http' unless $ENV{PROTO};
 $keep = $keep_default ||= $keep || 5;
+$purge ||= 3*$keep;
 $fra = $ENV{REMOTE_ADDR} || '';
 $sid = $ENV{SID} || '';
 
@@ -277,12 +290,12 @@ sub http_header {
   nvt_print("Server: fexsrv");
   nvt_print("Expires: 0");
   nvt_print("Cache-Control: no-cache");
-  # http://en.wikipedia.org/wiki/Clickjacking
-  nvt_print("X-Frame-Options: SAMEORIGIN");
   if ($force_https) {
     # https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
+    # https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
     nvt_print("Strict-Transport-Security: max-age=2851200; preload");
   }
+  nvt_print($_) foreach(@extra_header);
   if ($use_cookies) {
     $akey = md5_hex("$from:$id") if $id and $from;
     if ($akey) {
@@ -309,6 +322,8 @@ sub html_header {
   my $header = 'header.html';
   my $head;
 
+  binmode(STDOUT,':utf8'); # for text/html !
+
   # http://www.w3.org/TR/html401/struct/global.html
   # http://www.w3.org/International/O-charset
   $head = qqq(qq(
@@ -359,6 +374,12 @@ sub html_error {
 
   errorlog($msg);
 
+  $SIG{ALRM} = sub {
+    $SIG{__DIE__} = 'DEFAULT';
+    die "TIMEOUT\n";
+  };
+  alarm($timeout);
+
   # cannot send standard HTTP Status-Code 400, because stupid
   # Internet Explorer then refuses to display HTML body!
   http_header("666 Bad Request - $msg");
@@ -1551,8 +1572,8 @@ sub notify {
         or http_die("cannot start sendmail - $!");
     }
   }
-  $comment .= "\n" if $comment;
-  if ($comment =~ s/^!(shortmail|\.)!\s*//i
+  $comment = "\n$comment\n" if $comment;
+  if ($comment =~ s/\n!(shortmail|\.)!\s*//i
     or (readlink("$to/\@NOTIFICATION")||'') =~ /short/i
   ) {
     $body = qqq(qq(
@@ -1569,7 +1590,7 @@ sub notify {
       ''
       'Questions? ==> F*EX admin: $admin'
     ));
-    $disclaimer .= "\n" . $::disclaimer if $::disclaimer;
+    $disclaimer .= "\n$::disclaimer\n" if $::disclaimer;
     $body = qqq(qq(
       '$comment'
       '$from has uploaded the file'