From 6c1f0dde0c4cccd8e132d27842a3cba556648d02 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 13 Mar 2022 17:24:47 +0100
Subject: [PATCH] set CSP also as meta tag, to deal with misconfigured
 webservers mangling the HTTP header

---
 CHANGELOG.md       |  1 +
 lib/Controller.php | 11 +++++++++++
 tpl/bootstrap.php  |  1 +
 tpl/page.php       |  1 +
 tst/ViewTest.php   |  1 +
 5 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a4ba1cde..ef114663 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
     * ADDED: Google Cloud Storage backend support (#795)
     * ADDED: Oracle database support (#868)
     * ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
+    * ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
     * CHANGED: Language selection cookie only transmitted over HTTPS (#472)
     * CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
     * CHANGED: Removed automatic `.ini` configuration file migration (#808)
diff --git a/lib/Controller.php b/lib/Controller.php
index 56f424c0..34087957 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -364,6 +364,16 @@ class Controller
             setcookie('lang', $languageselection, 0, '', '', true);
         }
 
+        // strip policies that are unsupported in meta tag
+        $metacspheader = str_replace(
+            array(
+                'frame-ancestors \'none\'; ',
+                '; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+            ),
+            '',
+            $this->_conf->getKey('cspheader')
+        );
+
         $page = new View;
         $page->assign('NAME', $this->_conf->getKey('name'));
         $page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
@@ -392,6 +402,7 @@ class Controller
         $page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
         $page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
         $page->assign('COMPRESSION', $this->_conf->getKey('compression'));
+        $page->assign('CSPHEADER', $metacspheader);
         $page->draw($this->_conf->getKey('template'));
     }
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 0808fff6..1fc8feb2 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -7,6 +7,7 @@ $isPage = substr($template, -5) === '-page';
 <html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
+		<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
diff --git a/tpl/page.php b/tpl/page.php
index b8c83805..74254c8e 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -4,6 +4,7 @@ use PrivateBin\I18n;
 <html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
+		<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
 		<meta name="robots" content="noindex" />
 		<meta name="google" content="notranslate">
 		<title><?php echo I18n::_($NAME); ?></title>
diff --git a/tst/ViewTest.php b/tst/ViewTest.php
index c729b4ef..1e4d9374 100644
--- a/tst/ViewTest.php
+++ b/tst/ViewTest.php
@@ -60,6 +60,7 @@ class ViewTest extends PHPUnit_Framework_TestCase
         $page->assign('HTTPWARNING', true);
         $page->assign('HTTPSLINK', 'https://example.com/');
         $page->assign('COMPRESSION', 'zlib');
+        $page->assign('CSPHEADER', 'default-src \'none\'');
 
         $dir = dir(PATH . 'tpl');
         while (false !== ($file = $dir->read())) {