X-Git-Url: http://git.treefish.org/fex.git/blobdiff_plain/c65ee6f7429eff9a7f58aad7c0aec858ad473092..20160328:/lib/fex.pp diff --git a/lib/fex.pp b/lib/fex.pp index be911d2..8bfddbf 100644 --- a/lib/fex.pp +++ b/lib/fex.pp @@ -63,6 +63,17 @@ $mail_authid = 'yes'; $force_https = 0; $debug = 0; +# https://securityheaders.io/ +# https://scotthelme.co.uk/hardening-your-http-response-headers/ +# http://content-security-policy.com/ +@extra_header = ( + # "Content-Security-Policy: sandbox allow-forms allow-scripts", + "Content-Security-Policy: script-src 'self' 'unsafe-inline'", + "X-Frame-Options: SAMEORIGIN", + "X-XSS-Protection: 1; mode=block", + "X-Content-Type-Options: nosniff", +); + $FHS = -f '/etc/fex/fex.ph' and -d '/usr/share/fex/lib'; # Debian FHS if ($FHS) { @@ -277,12 +288,12 @@ sub http_header { nvt_print("Server: fexsrv"); nvt_print("Expires: 0"); nvt_print("Cache-Control: no-cache"); - # http://en.wikipedia.org/wiki/Clickjacking - nvt_print("X-Frame-Options: SAMEORIGIN"); if ($force_https) { # https://www.owasp.org/index.php/HTTP_Strict_Transport_Security + # https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ nvt_print("Strict-Transport-Security: max-age=2851200; preload"); } + nvt_print($_) foreach(@extra_header); if ($use_cookies) { $akey = md5_hex("$from:$id") if $id and $from; if ($akey) { @@ -1551,8 +1562,8 @@ sub notify { or http_die("cannot start sendmail - $!"); } } - $comment .= "\n" if $comment; - if ($comment =~ s/^!(shortmail|\.)!\s*//i + $comment = "\n$comment\n" if $comment; + if ($comment =~ s/\n!(shortmail|\.)!\s*//i or (readlink("$to/\@NOTIFICATION")||'') =~ /short/i ) { $body = qqq(qq( @@ -1569,7 +1580,7 @@ sub notify { '' 'Questions? ==> F*EX admin: $admin' )); - $disclaimer .= "\n" . $::disclaimer if $::disclaimer; + $disclaimer .= "\n$::disclaimer\n" if $::disclaimer; $body = qqq(qq( '$comment' '$from has uploaded the file'