Skip to content

Commit

Permalink
Merge tag 'v3.6.29'
Browse files Browse the repository at this point in the history
  • Loading branch information
@phorward
phorward committed Dec 11, 2024
2 parents 652dd60 + 825c85f commit 9e3845c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ This file documents any relevant changes done to ViUR-core since version 3.
- refactor: Send emails from `EmailTransport` instances instead of class (#1250)
- refactor: Sub-class `Session` from `db.Entity` to behave `dict`-compliant (#1153)

## [3.6.29]

- fix: Don't create a CSP nonce if unsafe-inline is enabled (#1347)

## [3.6.28]

- fix: Hotfix for refactored `getSkel()` ported down from 3.7 source (#1341)
Expand Down
13 changes: 11 additions & 2 deletions src/viur/core/request.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,9 +415,18 @@ def _process(self):
if filename := conf.main_app.render.getTemplateFileName((f"{error_info['status']}", "error"),
raise_exception=False):
template = conf.main_app.render.getEnv().get_template(filename)
nonce = utils.string.random(16)
try:
uses_unsafe_inline = \
"unsafe-inline" in conf.security.content_security_policy["enforce"]["style-src"]
except (KeyError, TypeError): # Not set
uses_unsafe_inline = False
if uses_unsafe_inline:
logging.info("Using style-src:unsafe-inline, don't create a nonce")
nonce = None
else:
nonce = utils.string.random(16)
extendCsp({"style-src": [f"nonce-{nonce}"]})
res = template.render(error_info, nonce=nonce)
extendCsp({"style-src": [f"nonce-{nonce}"]})
else:
res = (f'<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">'
f'<title>{error_info["status"]} - {error_info["reason"]}</title>'
Expand Down

0 comments on commit 9e3845c

Please sign in to comment.