From 241474b0d9e8cd99b440f38890bcb78eaac34b74 Mon Sep 17 00:00:00 2001 From: msweet Date: Mon, 20 Oct 2014 21:59:33 +0000 Subject: [PATCH] The web interface now protects against frame "click-jacking" attacks (STR #4492) git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12219 a1ca3aef-8c08-0410-bb20-df032aa958be --- CHANGES-2.0.txt | 2 ++ cups/http.c | 11 +++++++++++ templates/es/header.tmpl.in | 8 ++++++++ templates/header.tmpl.in | 8 ++++++++ 4 files changed, 29 insertions(+) diff --git a/CHANGES-2.0.txt b/CHANGES-2.0.txt index 17455f620..721007b5e 100644 --- a/CHANGES-2.0.txt +++ b/CHANGES-2.0.txt @@ -8,6 +8,8 @@ CHANGES IN CUPS V2.0.1 - Printer sharing did not work when systemd was being used (STR #4497) - cupsGetPPD* would return a symlink to the PPD in /etc/cups/ppd even if it was not readable by the user (STR #4500) + - The web interface now protects against frame "click-jacking" attacks + (STR #4492) - Fixed a crash in ippAttributeString () - RPMs did not build (STR #4490) diff --git a/cups/http.c b/cups/http.c index 4e1729fd8..dfcd759ac 100644 --- a/cups/http.c +++ b/cups/http.c @@ -3611,6 +3611,17 @@ httpWriteResponse(http_t *http, /* I - HTTP connection */ return (-1); } } + + /* + * "Click-jacking" defense (STR #4492)... + */ + + if (httpPrintf(http, "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1) + { + http->status = HTTP_STATUS_ERROR; + return (-1); + } } if (httpWrite2(http, "\r\n", 2) < 2) diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in index 044966157..a6df94cfb 100644 --- a/templates/es/header.tmpl.in +++ b/templates/es/header.tmpl.in @@ -8,7 +8,15 @@ {refresh_page?:} +