mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 02:32:42 +01:00
Don't emit Content-Security-Policy when returning a response during preflight setup checks
Summary: Ref T4340. See <https://discourse.phabricator-community.org/t/core-exception-during-installation/1193/8>. If we return a response very early during setup, we may not be able to read from the environment yet. Just decline to build a "Content-Security-Policy" header in these cases. Test Plan: - Faked a preflight error (e.g., safe_mode enabled), restarted apache. - Before patch: environment error while generating CSP. - After patch: no error. - Loaded a normal page, observed an normal CSP header. Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19172
This commit is contained in:
parent
5844952153
commit
f31975f7a3
1 changed files with 13 additions and 2 deletions
|
@ -103,9 +103,20 @@ abstract class AphrontResponse extends Phobject {
|
|||
return null;
|
||||
}
|
||||
|
||||
$csp = array();
|
||||
// NOTE: We may return a response during preflight checks (for example,
|
||||
// if a user has a bad version of PHP).
|
||||
|
||||
// In this case, setup isn't complete yet and we can't access environmental
|
||||
// configuration. If we aren't able to read the environment, just decline
|
||||
// to emit a Content-Security-Policy header.
|
||||
|
||||
try {
|
||||
$cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
|
||||
} catch (Exception $ex) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$csp = array();
|
||||
if ($cdn) {
|
||||
$default = $this->newContentSecurityPolicySource($cdn);
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue