From e43f2e0cee09d7d327c0564835a14796a6cdcd98 Mon Sep 17 00:00:00 2001 From: epriestley Date: Mon, 5 Mar 2018 06:49:30 -0800 Subject: [PATCH] (stable) Don't emit Content-Security-Policy when returning a response during preflight setup checks Summary: Ref T4340. See . If we return a response very early during setup, we may not be able to read from the environment yet. Just decline to build a "Content-Security-Policy" header in these cases. Test Plan: - Faked a preflight error (e.g., safe_mode enabled), restarted apache. - Before patch: environment error while generating CSP. - After patch: no error. - Loaded a normal page, observed an normal CSP header. Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19172 --- src/aphront/response/AphrontResponse.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/aphront/response/AphrontResponse.php b/src/aphront/response/AphrontResponse.php index 892417fcb1..2ee222d61c 100644 --- a/src/aphront/response/AphrontResponse.php +++ b/src/aphront/response/AphrontResponse.php @@ -103,9 +103,20 @@ abstract class AphrontResponse extends Phobject { return null; } - $csp = array(); + // NOTE: We may return a response during preflight checks (for example, + // if a user has a bad version of PHP). - $cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain'); + // In this case, setup isn't complete yet and we can't access environmental + // configuration. If we aren't able to read the environment, just decline + // to emit a Content-Security-Policy header. + + try { + $cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain'); + } catch (Exception $ex) { + return null; + } + + $csp = array(); if ($cdn) { $default = $this->newContentSecurityPolicySource($cdn); } else {