Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/response/AphrontResponse.php
Show First 20 Lines • Show All 212 Lines • ▼ Show 20 Lines | /* -( Metadata )----------------------------------------------------------- */ | ||||
private function newContentSecurityPolicySource($uri) { | private function newContentSecurityPolicySource($uri) { | ||||
// Some CSP URIs are ultimately user controlled (like notification server | // Some CSP URIs are ultimately user controlled (like notification server | ||||
// URIs and CDN URIs) so attempt to stop an attacker from injecting an | // URIs and CDN URIs) so attempt to stop an attacker from injecting an | ||||
// unsafe source (like 'unsafe-eval') into the CSP header. | // unsafe source (like 'unsafe-eval') into the CSP header. | ||||
$uri = id(new PhutilURI($uri)) | $uri = id(new PhutilURI($uri)) | ||||
->setPath(null) | ->setPath(null) | ||||
->setFragment(null) | ->setFragment(null) | ||||
->setQueryParams(array()); | ->removeAllQueryParams(); | ||||
$uri = (string)$uri; | $uri = (string)$uri; | ||||
if (preg_match('/[ ;\']/', $uri)) { | if (preg_match('/[ ;\']/', $uri)) { | ||||
throw new Exception( | throw new Exception( | ||||
pht( | pht( | ||||
'Attempting to emit a response with an unsafe source ("%s") in the '. | 'Attempting to emit a response with an unsafe source ("%s") in the '. | ||||
'Content-Security-Policy header.', | 'Content-Security-Policy header.', | ||||
$uri)); | $uri)); | ||||
▲ Show 20 Lines • Show All 205 Lines • Show Last 20 Lines |