/*
- * "$Id: http.c 12125 2014-08-28 15:49:29Z msweet $"
+ * "$Id: http.c 12230 2014-10-21 13:55:24Z msweet $"
*
* HTTP routines for CUPS.
*
http->server = _cupsStrAlloc(value);
break;
+ case HTTP_FIELD_WWW_AUTHENTICATE :
+ /* CUPS STR #4503 - don't override WWW-Authenticate for unknown auth schemes */
+ if (http->fields[HTTP_FIELD_WWW_AUTHENTICATE][0] &&
+ _cups_strncasecmp(value, "Basic ", 6) &&
+ _cups_strncasecmp(value, "Digest ", 7) &&
+ _cups_strncasecmp(value, "Negotiate ", 10))
+ {
+ DEBUG_printf(("1httpSetField: Ignoring unknown auth scheme in \"%s\".", value));
+ return;
+ }
+
+ /* Fall through to copy */
+
default :
strlcpy(http->fields[field], value, HTTP_MAX_VALUE);
break;
return (-1);
}
}
+
+ /*
+ * "Click-jacking" defense (STR #4492)...
+ */
+
+ if (httpPrintf(http, "X-Frame-Options: DENY\r\n"
+ "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1)
+ {
+ http->status = HTTP_STATUS_ERROR;
+ return (-1);
+ }
}
if (httpWrite2(http, "\r\n", 2) < 2)
/*
- * End of "$Id: http.c 12125 2014-08-28 15:49:29Z msweet $".
+ * End of "$Id: http.c 12230 2014-10-21 13:55:24Z msweet $".
*/