Index: openacs-4/packages/acs-bootstrap-installer/acs-bootstrap-installer.info =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-bootstrap-installer/acs-bootstrap-installer.info,v diff -u -r1.39.2.13 -r1.39.2.14 --- openacs-4/packages/acs-bootstrap-installer/acs-bootstrap-installer.info 5 Sep 2016 11:34:40 -0000 1.39.2.13 +++ openacs-4/packages/acs-bootstrap-installer/acs-bootstrap-installer.info 6 Sep 2016 17:33:55 -0000 1.39.2.14 @@ -9,7 +9,7 @@ f t - + Don Baccus Bootstraps an OpenACS installation. 2015-10-04 @@ -18,7 +18,7 @@ GPL 3 - + Index: openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.adp,v diff -u -r1.2.2.1 -r1.2.2.2 --- openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.adp 5 Sep 2016 11:34:40 -0000 1.2.2.1 +++ openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.adp 6 Sep 2016 17:33:55 -0000 1.2.2.2 @@ -8,7 +8,7 @@ lang="@link.lang;literal@" title="@link.title@" type="@link.type;literal@" media="@link.media;literal@" integrity="@link.integrity;literal@" crossorigin="@link.crossorigin;literal@"> - @@ -23,7 +23,7 @@ - + @head;literal@ @@ -32,7 +32,7 @@ @header;literal@ @footer;literal@ - + Index: openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl,v diff -u -r1.2.2.5 -r1.2.2.6 --- openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl 3 Jan 2016 21:27:35 -0000 1.2.2.5 +++ openacs-4/packages/acs-bootstrap-installer/installer/www/blank-master.tcl 6 Sep 2016 17:33:55 -0000 1.2.2.6 @@ -53,7 +53,9 @@ @see template::add_footer @author Kevin Scaldeferri (kevin@arsdigita.com) - Lee Denison (lee@xarg.co.uk) + Lee Denison (lee@xarg.co.uk) + Gustaf Neumann + @creation-date 14 Sept 2000 $Id$ @@ -70,7 +72,22 @@ -name generator \ -lang en \ -content "OpenACS version [ad_acs_version]" - + +# +# Add the content security policy. Since this is the blank master, we +# are defensive and check, if the system has already support for it +# via the CSPEnabledP kernel parameter. Otherwise users would be +# blocked out. +# +if {[parameter::get -parameter CSPEnabledP -package_id [ad_acs_kernel_id] -default 0] + && [info commands ::security::csp::render] ne "" +} { + set csp [::security::csp::render] + if {$csp ne ""} { + ns_set put [ns_conn outputheaders] Content-Security-Policy $csp + } +} + # Add standard javascript # # Include core.js inclusion to the bottom of the body. @@ -89,9 +106,6 @@ } } -# The following (forms, list and xinha) should -# be done in acs-templating. - # # Add css for the current subsite, defaulting to the old list/form css which was # hard-wired in previous versions of OpenACS. Index: openacs-4/packages/acs-kernel/acs-kernel.info =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/acs-kernel.info,v diff -u -r1.136.2.22 -r1.136.2.23 --- openacs-4/packages/acs-kernel/acs-kernel.info 2 Sep 2016 20:08:47 -0000 1.136.2.22 +++ openacs-4/packages/acs-kernel/acs-kernel.info 6 Sep 2016 17:33:55 -0000 1.136.2.23 @@ -9,15 +9,15 @@ f t - + OpenACS Core Team Routines and data models providing the foundation for OpenACS-based Web services. - 2016-09-02 + 2016-09-06 OpenACS The OpenACS kernel contains the core datamodel create and drop scripts for such things as objects, groups, partiies and the supporting PL/SQL and PL/pgSQL procedures. 3 - + @@ -29,6 +29,7 @@ + @@ -69,7 +70,6 @@ - Index: openacs-4/packages/acs-tcl/acs-tcl.info =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v diff -u -r1.70.2.18 -r1.70.2.19 --- openacs-4/packages/acs-tcl/acs-tcl.info 2 Sep 2016 17:33:19 -0000 1.70.2.18 +++ openacs-4/packages/acs-tcl/acs-tcl.info 6 Sep 2016 17:33:55 -0000 1.70.2.19 @@ -9,7 +9,7 @@ f t - + OpenACS The Kernel Tcl API library. 2016-05-15 @@ -18,7 +18,7 @@ GPL version 2 3 - + Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v diff -u -r1.78.2.25 -r1.78.2.26 --- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 6 Sep 2016 08:14:44 -0000 1.78.2.25 +++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 6 Sep 2016 17:33:55 -0000 1.78.2.26 @@ -176,9 +176,10 @@ } # - # generate a csrf token + # generate a csrf token and a csp nonce value # security::csrf::new + security::csp::nonce } } @@ -1970,46 +1971,136 @@ return "" } +namespace eval ::security::csp { -# -# Generate a nonce token as described in W3C Content Security Policy -# https://www.w3.org/TR/CSP/ -# -ad_proc -public ::security::nonce_token { {-tokenname __nonce_token} } { + # + # Generate a nonce token as described in W3C Content Security Policy + # https://www.w3.org/TR/CSP/ + # + ad_proc -public ::security::csp::nonce { {-tokenname __csp_nonce} } { - Generate a Nonce token and return it. The nonce token can be used - in content security policies (CSP2) for "script" and "style" - elements. Desired Properties: generate a single unique value per - request which is hard for a hacker to predict, it should only - contain base64 characters (so hex is fine). + Generate a Nonce token and return it. The nonce token can be used + in content security policies (CSP2) for "script" and "style" + elements. Desired Properties: generate a single unique value per + request which is hard for a hacker to predict, it should only + contain base64 characters (so hex is fine). + + For details, see https://www.w3.org/TR/CSP/ + + @return nonce token + @author Gustaf Neumann + } { + # + # Compute the nonce value only once per requests. If it was + # already computed, pick it up and return the precomputed + # value. Otherwise, compute the value new. + # + set globalTokenName ::$tokenname + if {[info exists $globalTokenName]} { + set token [set $globalTokenName] + } else { + set session_id [::security::csrf::session_id] + set secret [ns_config "ns/server/[ns_info server]/acs" parametersecret ""] + + if {[info commands ::crypto::hmac] ne ""} { + set token [::crypto::hmac string $secret $session_id-[clock clicks -microseconds]] + } else { + set token [ns_sha1 "$secret-$session_id-[clock clicks -microseconds]"] + } + set $globalTokenName $token + } + return $token + } - For details, see https://www.w3.org/TR/CSP/ + # security::csp::require style-src 'unsafe-inline' + ad_proc -public ::security::csp::require {directive value} { + Add a single value to a CSP directive + @directive name of the directive (such as e.g. style-src) + @value allowed source for this page (such as e.g. unsafe-inline) + } { + set var ::__csp__directive($directive) + if {![info exists $var] || $value ni [set $var]} { + lappend $var $value + } + } - @return nonce token - @author Gustaf Neumann -} { - # - # Compute the nonce value only once per requests. If it was - # already computed, pick it up and return the precomputed - # value. Otherwise, compute the value new. - # - set globalTokenName ::$tokenname - if {[info exists $globalTokenName]} { - set token [set $globalTokenName] - } else { - set session_id [::security::csrf::session_id] - set secret [ns_config "ns/server/[ns_info server]/acs" parametersecret ""] + ad_proc -public ::security::csp::render {} { + } { + # + # Fetch the nonce token + # + set nonce [::security::nonce_token] - if {[info commands ::crypto::hmac] ne ""} { - set token [::crypto::hmac string $secret $session_id-[clock clicks -microseconds]] - } else { - set token [ns_sha1 "$secret-$session_id-[clock clicks -microseconds]"] + # + # Add 'self' rules + # + security::csp::require default-src 'self' + security::csp::require script-src 'self' + security::csp::require style-src 'self' + + # + # Always add the nonce-token to script-src + # + security::csp::require script-src 'nonce-$nonce' + + # We need for the time being 'unsafe-inline' for style-src, + # otherwise not even the style attribute (e.g.

) would be allowed. + # + security::csp::require style-src 'unsafe-inline' + + # + # Check for invalid combination to avoid unexpected behavior + # + foreach directive {script-src style-src} { + # + # The combination of 'unsafe-inline' with a hash or nonce is + # not possible, since 'unsafe-inline' is ignored in such + # cases. + # + set var ::__csp__directive($directive) + if {[info exists $var] && "'unsafe-inline'" in [set $var]} { + foreach prefix {nonce sha256 sha384 sha512} { + set p [lsearch -glob [set $var] '$prefix-*'] + if {$p > -1} { + set $var [lreplace [set $var] $p $p] + } + } + } } - set $globalTokenName $token + + set policy "" + foreach directive { + child-src + connect-src + default-src + font-src + form-action + frame-src + frome-ancestors + img-src + media-src + object-src + plugin-types + report-uri + sandbox + script-src + style-src + } { + set var ::__csp__directive($directive) + if {[info exists $var]} { + append policy "$directive [join [set $var] { }];" + } + } + return $policy } - return $token + } +#TODO remove me: just for a transition phase +proc ::security::nonce_token args {uplevel ::security::csp::nonce {*}$args} + + namespace eval ::security::csrf { # Index: openacs-4/www/blank-master.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/www/blank-master.adp,v diff -u -r1.31.2.1 -r1.31.2.2 --- openacs-4/www/blank-master.adp 5 Sep 2016 11:34:40 -0000 1.31.2.1 +++ openacs-4/www/blank-master.adp 6 Sep 2016 17:33:55 -0000 1.31.2.2 @@ -8,7 +8,7 @@ lang="@link.lang;literal@" title="@link.title@" type="@link.type;literal@" media="@link.media;literal@" integrity="@link.integrity;literal@" crossorigin="@link.crossorigin;literal@"> - @@ -23,7 +23,7 @@ - + @head;literal@ @@ -32,7 +32,7 @@ @header;literal@ @footer;literal@ - + Index: openacs-4/www/blank-master.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/www/blank-master.tcl,v diff -u -r1.56.2.6 -r1.56.2.7 --- openacs-4/www/blank-master.tcl 5 Sep 2016 11:32:40 -0000 1.56.2.6 +++ openacs-4/www/blank-master.tcl 6 Sep 2016 17:33:55 -0000 1.56.2.7 @@ -53,7 +53,9 @@ @see template::add_footer @author Kevin Scaldeferri (kevin@arsdigita.com) - Lee Denison (lee@xarg.co.uk) + Lee Denison (lee@xarg.co.uk) + Gustaf Neumann + @creation-date 14 Sept 2000 $Id$ @@ -70,7 +72,22 @@ -name generator \ -lang en \ -content "OpenACS version [ad_acs_version]" - + +# +# Add the content security policy. Since this is the blank master, we +# are defensive and check, if the system has already support for it +# via the CSPEnabledP kernel parameter. Otherwise users would be +# blocked out. +# +if {[parameter::get -parameter CSPEnabledP -package_id [ad_acs_kernel_id] -default 0] + && [info commands ::security::csp::render] ne "" +} { + set csp [::security::csp::render] + if {$csp ne ""} { + ns_set put [ns_conn outputheaders] Content-Security-Policy $csp + } +} + # Add standard javascript # # Include core.js inclusion to the bottom of the body. @@ -89,9 +106,6 @@ } } -# The following (forms, list and xinha) should -# be done in acs-templating. - # # Add css for the current subsite, defaulting to the old list/form css which was # hard-wired in previous versions of OpenACS.