CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Even slightly more CSP refactoring

Browse Source
This commit is contained in:
Raphael Michel
2017-03-07 22:30:15 +01:00
parent cbf735487f
commit 2302dbade6
2 changed files with 25 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/pretix/base/middleware.py
View File

@@ -135,19 +135,19 @@ def get_language_from_request(request: HttpRequest) -> str:
) )
class SecurityMiddleware(MiddlewareMixin): def _parse_csp(header):
def _parse_csp(self, header):
h = {} h = {}
for part in header.split(';'): for part in header.split(';'):
k, v = part.strip().split(' ', 1) k, v = part.strip().split(' ', 1)
h[k.strip()] = v.split(' ') h[k.strip()] = v.split(' ')
return h return h
def _render_csp(self, h):
def _render_csp(h):
return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items()) return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items())
def _merge_csp(self, a, b):
def _merge_csp(a, b):
for k, v in a.items(): for k, v in a.items():
if k in b: if k in b:
a[k] += b[k] a[k] += b[k]
@@ -156,6 +156,9 @@ class SecurityMiddleware(MiddlewareMixin):
if k not in a: if k not in a:
a[k] = b[k] a[k] = b[k]
class SecurityMiddleware(MiddlewareMixin):
def process_response(self, request, resp): def process_response(self, request, resp):
if settings.DEBUG and resp.status_code >= 400: if settings.DEBUG and resp.status_code >= 400:
# Don't use CSP on debug error page as it breaks of Django's fancy error # Don't use CSP on debug error page as it breaks of Django's fancy error
@@ -180,7 +183,7 @@ class SecurityMiddleware(MiddlewareMixin):
'form-action': ["{dynamic}', 'https:"], 'form-action': ["{dynamic}', 'https:"],
} }
if 'Content-Security-Policy' in resp: if 'Content-Security-Policy' in resp:
self._merge_csp(h, self._parse_csp(resp['Content-Security-Policy'])) _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
staticdomain = "'self'" staticdomain = "'self'"
dynamicdomain = "'self'" dynamicdomain = "'self'"
@@ -193,5 +196,5 @@ class SecurityMiddleware(MiddlewareMixin):
else: else:
staticdomain += " " + settings.SITE_URL staticdomain += " " + settings.SITE_URL
dynamicdomain += " " + settings.SITE_URL dynamicdomain += " " + settings.SITE_URL
resp['Content-Security-Policy'] = self._render_csp(h).format(static=staticdomain, dynamic=dynamicdomain) resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
return resp return resp

2
src/pretix/settings.py
View File

@@ -240,8 +240,8 @@ MIDDLEWARE = [
'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware',
'pretix.control.middleware.PermissionMiddleware', 'pretix.control.middleware.PermissionMiddleware',
'pretix.base.middleware.LocaleMiddleware', 'pretix.base.middleware.LocaleMiddleware',
'pretix.presale.middleware.EventMiddleware',
'pretix.base.middleware.SecurityMiddleware', 'pretix.base.middleware.SecurityMiddleware',
'pretix.presale.middleware.EventMiddleware',
] ]
try: try: