Original release 20160328

[fex.git] / lib / fex.pp

diff --git a/lib/fex.pp b/lib/fex.pp
index be911d2fd9f70b67263bec01bd85b4b92d41dfc0..8bfddbf550276afad07c019c7c35b6820cd168f5 100644 (file)
--- a/lib/fex.pp
+++ b/lib/fex.pp
@@ -63,6 +63,17 @@ $mail_authid = 'yes';
 $force_https = 0;
 $debug = 0;
 
+# https://securityheaders.io/
+# https://scotthelme.co.uk/hardening-your-http-response-headers/
+# http://content-security-policy.com/
+@extra_header = (
+  # "Content-Security-Policy: sandbox allow-forms allow-scripts",
+  "Content-Security-Policy: script-src 'self' 'unsafe-inline'",
+  "X-Frame-Options: SAMEORIGIN",
+  "X-XSS-Protection: 1; mode=block",
+  "X-Content-Type-Options: nosniff",
+);
+
 $FHS = -f '/etc/fex/fex.ph' and -d '/usr/share/fex/lib';
 # Debian FHS
 if ($FHS) {
@@ -277,12 +288,12 @@ sub http_header {
   nvt_print("Server: fexsrv");
   nvt_print("Expires: 0");
   nvt_print("Cache-Control: no-cache");
-  # http://en.wikipedia.org/wiki/Clickjacking
-  nvt_print("X-Frame-Options: SAMEORIGIN");
   if ($force_https) {
     # https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
+    # https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
     nvt_print("Strict-Transport-Security: max-age=2851200; preload");
   }
+  nvt_print($_) foreach(@extra_header);
   if ($use_cookies) {
     $akey = md5_hex("$from:$id") if $id and $from;
     if ($akey) {
@@ -1551,8 +1562,8 @@ sub notify {
         or http_die("cannot start sendmail - $!");
     }
   }
-  $comment .= "\n" if $comment;
-  if ($comment =~ s/^!(shortmail|\.)!\s*//i
+  $comment = "\n$comment\n" if $comment;
+  if ($comment =~ s/\n!(shortmail|\.)!\s*//i
     or (readlink("$to/\@NOTIFICATION")||'') =~ /short/i
   ) {
     $body = qqq(qq(
@@ -1569,7 +1580,7 @@ sub notify {
       ''
       'Questions? ==> F*EX admin: $admin'
     ));
-    $disclaimer .= "\n" . $::disclaimer if $::disclaimer;
+    $disclaimer .= "\n$::disclaimer\n" if $::disclaimer;
     $body = qqq(qq(
       '$comment'
       '$from has uploaded the file'