1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 08:42:41 +01:00

Don't emit Content-Security-Policy when returning a response during preflight setup checks

Summary:
Ref T4340. See <https://discourse.phabricator-community.org/t/core-exception-during-installation/1193/8>.

If we return a response very early during setup, we may not be able to read from the environment yet. Just decline to build a "Content-Security-Policy" header in these cases.

Test Plan:
  - Faked a preflight error (e.g., safe_mode enabled), restarted apache.
    - Before patch: environment error while generating CSP.
    - After patch: no error.
  - Loaded a normal page, observed an normal CSP header.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19172
This commit is contained in:
epriestley 2018-03-05 06:49:30 -08:00
parent 5844952153
commit f31975f7a3

View file

@ -103,9 +103,20 @@ abstract class AphrontResponse extends Phobject {
return null;
}
$csp = array();
// NOTE: We may return a response during preflight checks (for example,
// if a user has a bad version of PHP).
$cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
// In this case, setup isn't complete yet and we can't access environmental
// configuration. If we aren't able to read the environment, just decline
// to emit a Content-Security-Policy header.
try {
$cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
} catch (Exception $ex) {
return null;
}
$csp = array();
if ($cdn) {
$default = $this->newContentSecurityPolicySource($cdn);
} else {