From: Dylan William Hardison Date: Tue, 20 Feb 2018 14:11:48 +0000 (-0500) Subject: Bug 1432296 - Prevent bugzilla static assets from being blocked by overly long reques... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3bd95a4452433e68b21935463cb9e6b07ff4e449;p=thirdparty%2Fbugzilla.git Bug 1432296 - Prevent bugzilla static assets from being blocked by overly long request URIs --- diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 651c31bad..35d6dd687 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -491,6 +491,11 @@ sub _prevent_unsafe_response { } } +sub should_block_referrer { + my ($self) = @_; + return length($self->self_url) > 8000; +} + # Override header so we can add the cookies in sub header { my $self = shift; @@ -570,15 +575,20 @@ sub header { # the MIME type away from the declared Content-Type. $headers{'-x_content_type_options'} = 'nosniff'; - my $csp = $self->content_security_policy; - $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable; - Bugzilla::Hook::process('cgi_headers', { cgi => $self, headers => \%headers } ); $self->{_header_done} = 1; if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { + if ($self->should_block_referrer) { + $headers{'-referrer_policy'} = 'origin'; + } + my $csp = $self->content_security_policy; + if (defined $csp && !$csp->disable) { + $csp->add_cgi_headers(\%headers) + } + my @fonts = ( "skins/standard/fonts/FiraMono-Regular.woff2?v=3.202", "skins/standard/fonts/FiraSans-Bold.woff2?v=4.203", diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index 04b996e16..428354233 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -98,6 +98,12 @@ [% END %] + [% IF Bugzilla.cgi.should_block_referrer %] + + [% ELSE %] + + [% END %] + [%- js_BUGZILLA = { param => { maxusermatches => Param('maxusermatches'), @@ -206,7 +212,6 @@ [% IF allow_mobile && is_mobile_browser %] [% END %] - [% Hook.process("additional_header") %]