mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-02-20 13:34:37 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix CSP when there is a theme

Browse source
This commit is contained in:
nicolas.dorier 2021-09-09 23:22:49 +09:00
parent 650df97e50
commit ad7b62fa3d
No known key found for this signature in database
GPG key ID: 6618763EF09186FE
5 changed files with 5 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
BTCPayServer/Controllers/InvoiceController.UI.cs
View file

@ -448,20 +448,6 @@ namespace BTCPayServer.Controllers
if (view == "modal")
model.IsModal = true;
_CSP.Add(new ConsentSecurityPolicy("script-src", "'unsafe-eval'")); // Needed by Vue
if (!string.IsNullOrEmpty(model.CustomCSSLink) &&
Uri.TryCreate(model.CustomCSSLink, UriKind.Absolute, out var uri))
{
_CSP.Clear();
}
if (!string.IsNullOrEmpty(model.CustomLogoLink) &&
Uri.TryCreate(model.CustomLogoLink, UriKind.Absolute, out uri))
{
_CSP.Clear();
}
return View(nameof(Checkout), model);
}

2
BTCPayServer/Controllers/InvoiceController.cs
View file

@ -32,7 +32,6 @@ namespace BTCPayServer.Controllers
public partial class InvoiceController : Controller
{
readonly InvoiceRepository _InvoiceRepository;
readonly ContentSecurityPolicies _CSP;
readonly RateFetcher _RateProvider;
readonly StoreRepository _StoreRepository;
readonly UserManager<ApplicationUser> _UserManager;
@ -72,7 +71,6 @@ namespace BTCPayServer.Controllers
_dbContextFactory = dbContextFactory;
_paymentHostedService = paymentHostedService;
WebhookNotificationManager = webhookNotificationManager;
_CSP = csp;
_languageService = languageService;
}

32
BTCPayServer/HostedServices/ContentSecurityPolicyCssThemeManager.cs
View file

@ -1,32 +0,0 @@
using System;
using BTCPayServer.Abstractions.Contracts;
using BTCPayServer.Security;
using Microsoft.AspNetCore.Mvc.Filters;
namespace BTCPayServer.HostedServices
{
public class ContentSecurityPolicyCssThemeManager : Attribute, IActionFilter, IOrderedFilter
{
public int Order => 1001;
public void OnActionExecuted(ActionExecutedContext context)
{
}
public void OnActionExecuting(ActionExecutingContext context)
{
var settingsRepository = context.HttpContext.RequestServices.GetService(typeof(ISettingsRepository)) as ISettingsRepository;
var policies = context.HttpContext.RequestServices.GetService(typeof(ContentSecurityPolicies)) as ContentSecurityPolicies;
if (policies != null)
{
var theme = settingsRepository.GetTheme().GetAwaiter().GetResult();
if (theme.CssUri != null && Uri.TryCreate(theme.CssUri, UriKind.Absolute, out var uri))
{
policies.Clear();
}
}
}
}
}

1
BTCPayServer/Hosting/BTCPayServerServices.cs
View file

@ -302,7 +302,6 @@ namespace BTCPayServer.Hosting
services.Configure<MvcOptions>((o) =>
{
o.Filters.Add(new ContentSecurityPolicyCssThemeManager());
o.ModelMetadataDetailsProviders.Add(new SuppressChildValidationMetadataProvider(typeof(WalletId)));
o.ModelMetadataDetailsProviders.Add(new SuppressChildValidationMetadataProvider(typeof(DerivationStrategyBase)));
});

14
BTCPayServer/Security/ContentSecurityPolicies.cs
View file

@ -75,8 +75,6 @@ namespace BTCPayServer.Security
}
public void Add(ConsentSecurityPolicy policy)
{
if (_Policies.Any(p => p.Name == policy.Name && p.Value == policy.Name))
return;
_Policies.Add(policy);
}
@ -94,20 +92,18 @@ namespace BTCPayServer.Security
value.Append(';');
}
HashSet<string> values = new HashSet<string>();
List<string> valuesList = new List<string>();
values.Add(group.Key);
valuesList.Add(group.Key);
foreach (var v in group)
{
values.Add(v.Value);
if (values.Add(v.Value))
valuesList.Add(v.Value);
}
value.Append(String.Join(" ", values.OfType<object>().ToArray()));
value.Append(String.Join(" ", valuesList.OfType<object>().ToArray()));
firstGroup = false;
}
return value.ToString();
}
internal void Clear()
{
_Policies.Clear();
}
}
}