From 3bd95a4452433e68b21935463cb9e6b07ff4e449 Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Tue, 20 Feb 2018 09:11:48 -0500 Subject: [PATCH] Bug 1432296 - Prevent bugzilla static assets from being blocked by overly long request URIs --- Bugzilla/CGI.pm | 16 +++++++++++++--- template/en/default/global/header.html.tmpl | 7 ++++++- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 651c31bad..35d6dd687 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -491,6 +491,11 @@ sub _prevent_unsafe_response { } } +sub should_block_referrer { + my ($self) = @_; + return length($self->self_url) > 8000; +} + # Override header so we can add the cookies in sub header { my $self = shift; @@ -570,15 +575,20 @@ sub header { # the MIME type away from the declared Content-Type. $headers{'-x_content_type_options'} = 'nosniff'; - my $csp = $self->content_security_policy; - $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable; - Bugzilla::Hook::process('cgi_headers', { cgi => $self, headers => \%headers } ); $self->{_header_done} = 1; if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { + if ($self->should_block_referrer) { + $headers{'-referrer_policy'} = 'origin'; + } + my $csp = $self->content_security_policy; + if (defined $csp && !$csp->disable) { + $csp->add_cgi_headers(\%headers) + } + my @fonts = ( "skins/standard/fonts/FiraMono-Regular.woff2?v=3.202", "skins/standard/fonts/FiraSans-Bold.woff2?v=4.203", diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index 04b996e16..428354233 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -98,6 +98,12 @@ [% END %] + [% IF Bugzilla.cgi.should_block_referrer %] + + [% ELSE %] + + [% END %] + [%- js_BUGZILLA = { param => { maxusermatches => Param('maxusermatches'), @@ -206,7 +212,6 @@ [% IF allow_mobile && is_mobile_browser %] [% END %] - [% Hook.process("additional_header") %] -- 2.47.3