a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index 6f560ce..40d5d06 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -12,30 +12,31 @@ #include "jksql.h" #include "htmshell.h" #include "cart.h" #include "hPrint.h" #include "hdb.h" #include "hui.h" #include "web.h" #include "ra.h" #include "hgColors.h" #include "net.h" #include "wikiLink.h" #include "hgLogin.h" #include "gbMembers.h" #include "versionInfo.h" #include "mailViaPipe.h" +#include "dystring.h" /* ---- Global variables. ---- */ char msg[4096] = ""; char *incorrectUsernameOrPassword="The username or password you entered is incorrect."; char *incorrectUsername="The username you entered is incorrect."; /* The excludeVars are not saved to the cart. */ char *excludeVars[] = { "submit", "Submit", "debug", "fixMembers", "update", "hgLogin_password", "hgLogin_password2", "hgLogin_newPassword1", "hgLogin_newPassword2", NULL }; struct cart *cart; /* This holds cgi and other variables between clicks. */ char *database; /* Name of genome database - hg15, mm3, or the like. */ struct hash *oldCart; /* Old cart hash. */ char *errMsg; /* Error message to show user when form data rejected */ char brwName[64]; char brwAddr[256]; @@ -315,50 +316,46 @@ char *cgiDir = cgiScriptDirUrl(); char returnTo[2048]; if (!returnURL || sameString(returnURL,"")) safef(returnTo, sizeof(returnTo), "http%s://%s%shgSession?hgS_doMainPage=1", cgiAppendSForHttps(), hgLoginHost, cgiDir); else safecpy(returnTo, sizeof(returnTo), returnURL); return cloneString(returnTo); } void returnToURL(int delay) /* delay for delay mill-seconds then return to the "returnto" URL */ { char *returnURL = getReturnToURL(); -hPrintf( - "", delay, returnURL); + , returnURL, delay); +jsInline(javascript); } static void redirectToLoginPage(char *paramStr) /* redirect to hgLogin page with given parameter string */ { -hPrintf("", hgLoginUrl, paramStr); +char javascript[1024]; +safef(javascript, sizeof javascript, + "window.location ='%s?%s'" + , hgLoginUrl, paramStr); +jsInline(javascript); } void displayActMailSuccess() /* display Activate mail success box */ { char *returnURL = getReturnToURL(); hPrintf( "
" "\n" "

%s

", brwName); hPrintf( "

A confirmation email has been sent to you. \n" "Please click the confirmation link in the email to activate your account.

" "\n" "

Return

", returnURL); @@ -444,36 +441,35 @@ int result; result = mailViaPipe(email, subject, msg, returnAddr); if (result == -1) { hPrintf( "

%s

", brwName); hPrintf( "

" "

" "

Error emailing %s to: %s

" "Click here to return.
", hgLoginUrl, obj, email ); } else { - hPrintf("", hgLoginUrl); + char javascript[1024]; + safef(javascript, sizeof javascript, + "window.location = '%s?hgLogin.do.displayMailSuccess=1'" + , hgLoginUrl); + jsInline(javascript); } } void mailUsername(char *email, char *users) /* send user name list to the email address */ { char subject[256]; char msg[4096]; char *remoteAddr=getenv("REMOTE_ADDR"); safef(subject, sizeof(subject),"Your user name at the %s", brwName); safef(msg, sizeof(msg), " Someone (probably you, from IP address %s) has requested user name(s) associated with this email address at the %s: \n\n %s\n\n%s\n%s", remoteAddr, brwName, users, signature, returnAddr); sendMailOut(email, subject, msg); @@ -510,110 +506,105 @@ int result; result = mailViaPipe(email, subject, msg, returnAddr); if (result == -1) { hPrintf( "

%s

", brwName); hPrintf( "

" "

" "

Error emailing %s to: %s

" "Click here to return.
", hgLoginUrl, obj, email ); } else { - hPrintf("", hgLoginUrl, username); + char javascript[1024]; + safef(javascript, sizeof javascript, + "window.location = '%s?hgLogin.do.displayMailSuccessPwd=1&user=%s'" + , hgLoginUrl, username); + jsInline(javascript); } } void sendNewPwdMail(char *username, char *email, char *password) /* send user new password */ { char subject[256]; char msg[4096]; char *remoteAddr=getenv("REMOTE_ADDR"); safef(subject, sizeof(subject),"New temporary password for your account at the %s", brwName); safef(msg, sizeof(msg), " Someone (probably you, from IP address %s) requested a new password for the %s (%s). A temporary password for user \"%s\" has been created and was set to \"%s\". If this was your intent, you will need to log in and choose a new password now. Your temporary password will expire in 7 days.\n\n If someone else made this request, or if you have remembered your password, and you no longer wish to change it, you may ignore this message and continue using your old password.\n\n%s\n%s", remoteAddr, brwName, brwAddr, username, password, signature, returnAddr); sendPwdMailOut(email, subject, msg, username); } void displayAccHelpPage(struct sqlConnection *conn) /* draw the account help page */ { char *email = cartUsualString(cart, "hgLogin_email", ""); char *username = cartUsualString(cart, "hgLogin_userName", ""); -hPrintf("" - "\n"); + ); hPrintf("
" "\n" "

%s

" "\n", brwName); hPrintf("

Having trouble signing in?

" "\n" "
" "\n" "

%s

" "\n", hgLoginUrl, errMsg ? errMsg : ""); hPrintf("

" - "
" + "
" "
" - "
" + "
" "
" "\n" "
" "\n"); hPrintf("
" "" "" "
" "\n" "
" "" "" "
" "\n" "
" " " "  Cancel" "
" "" "
", username, email, getReturnToURL()); +jsOnEventById("click", "password", "toggle('showU');"); +jsOnEventById("click", "username", "toggle('showE');"); cartSaveSession(cart); } void sendNewPassword(struct sqlConnection *conn, char *username, char *password) /* email user new password */ { char query[256]; /* find email address associated with this username */ sqlSafef(query,sizeof(query),"SELECT email FROM gbMembers WHERE userName='%s'", username); char *email = sqlQuickString(conn, query); if (!email || sameString(email,"")) { freez(&errMsg); errMsg = cloneString("Email address not found."); displayAccHelpPage(conn); @@ -1158,36 +1149,37 @@ return TRUE; else return FALSE; } void displayLoginSuccess(char *userName, uint idx) /* display login success msg, and set cookie */ { hPrintf("

%s

", brwName); hPrintf( "

" "

" "" "\n"); /* Set cookies */ -hPrintf("\n"); + dyStringPrintf(javascript, " document.cookie = '%s';", sl->name); +jsInline(javascript->string); cartRemove(cart,"hgLogin_userName"); returnToURL(150); } void displayLogin(struct sqlConnection *conn) /* display and process login info */ { struct sqlResult *sr; char **row; char query[256]; char *userName = cartUsualString(cart, "hgLogin_userName", ""); if (sameString(userName,"")) { freez(&errMsg); errMsg = cloneString("User name cannot be blank."); @@ -1242,35 +1234,35 @@ displayLoginPage(conn); return; } gbMembersFree(&m); } void displayLogoutSuccess() /* display logout success msg, and reset cookie */ { hPrintf("

%s Sign Out

", brwName); hPrintf( "

" "

" "" "\n"); -hPrintf("\n"); + dyStringPrintf(javascript, " document.cookie = '%s';", sl->name); +jsInline(javascript->string); /* return to "returnto" URL */ returnToURL(150); } void doMiddle(struct cart *theCart) /* Write the middle parts of the HTML page. * This routine sets up some globals and then * dispatches to the appropriate page-maker. */ { struct sqlConnection *conn = hConnectCentral(); cart = theCart; safecpy(brwName,sizeof(brwName), browserName()); safecpy(brwAddr,sizeof(brwAddr), browserAddr()); safecpy(signature,sizeof(signature), mailSignature()); safecpy(returnAddr,sizeof(returnAddr), mailReturnAddr());