a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgTables/genomeSpace.c src/hg/hgTables/genomeSpace.c index ba0236a..1c05c01 100644 --- src/hg/hgTables/genomeSpace.c +++ src/hg/hgTables/genomeSpace.c @@ -370,48 +370,46 @@ if (errno == 32) break; totalUploaded += bufRead; int pctUploaded = 100.0*totalUploaded/contentLength; if (progress && (pctUploaded != lastPctUploaded)) { char nicenumber[1024]=""; sprintWithGreekByte(nicenumber, sizeof(nicenumber), contentLength); // Various global flags must be reset to draw a fresh html output page. webHeadAlreadyOutputed = FALSE; webInTextMode = FALSE; includedResourceFiles = NULL; htmlWarnBoxSetUpAlready=FALSE; + jsInlineReset(); htmlOpen("Uploading Output to GenomeSpace"); printf("Name: %s<br>\n", fileName); printf("Size: %s<br>\n", nicenumber); printf("Progress: %0d%%<br>\n", pctUploaded); printf("<br>\n"); printf("<FORM ACTION=\"/cgi-bin/hgTables\" METHOD=GET>\n" "<INPUT TYPE=SUBMIT NAME=\"%s\" VALUE=\"Back\" >" - "<INPUT TYPE=SUBMIT NAME=\"Refresh\" VALUE=\"Refresh\" onclick='window.location=window.location;return false;' >" + "<INPUT TYPE=SUBMIT NAME=\"Refresh\" id='Refresh' VALUE=\"Refresh\">" "</FORM>\n" , hgtaDoMainPage); - puts("<script type=\"text/javascript\">"); - puts("<!--"); - puts("setTimeout(\"location = location;\",5000);"); - puts("-->"); - puts("</script>"); + jsOnEventById("click", "Refresh", "window.location=window.location;return false;"); + jsInline("setTimeout(function(){location = location;},5000);"); htmlClose(); fflush(stdout); lastPctUploaded = pctUploaded; } } carefulClose(&f); char *responseCode = NULL; char *s3UploadResponse = parseResponse(sd, &responseCode); if (!sameString(responseCode, "200 OK")) errAbort("Amazon S3 Response: %s", responseCode); @@ -455,31 +453,31 @@ /* do nothing */ ; if (start < 0) { htmlOpen("Background Status"); errAbort("No html start tag found"); htmlClose(); return; } puts("Content-Type: text/html\n"); int line; boolean autoRefreshFound = FALSE; boolean successfullyUploaded = FALSE; for (line=start; line <= end; line++) { puts(lines[line]); - if (startsWith("setTimeout(\"location = location;", lines[line])) + if (startsWith("setTimeout(function(){location = location;}", lines[line])) autoRefreshFound = TRUE; if (startsWith("Output has been successfully uploaded", lines[line])) successfullyUploaded = TRUE; } // if it looks like the background is no longer running, // include the .err stdout output for more informative problem message char urlErr[512]; char *textErr = NULL; safef(urlErr, sizeof urlErr, "%s.err", url); if (!autoRefreshFound && !successfullyUploaded && (fileSize(urlErr) > 0)) { readInGulp(urlErr, &textErr, NULL); printf("%s", textErr); } } @@ -633,60 +631,59 @@ ++user; char nicenumber[1024]=""; sprintWithGreekByte(nicenumber, sizeof(nicenumber), fSize); htmlOpen("Uploading Output to GenomeSpace"); printf("Name: %s<br>\n", fileName); printf("Size: %s<br>\n", nicenumber); printf("Progress: 0%%<br>\n"); printf("You can remain on this page and monitor upload progress.<br>\n"); printf("Otherwise, feel free to continue working, and your output will appear in GenomeSpace when the upload is complete.<br>\n"); printf("<br>\n"); printf("<FORM ACTION=\"/cgi-bin/hgTables\" METHOD=GET>\n" "<INPUT TYPE=SUBMIT NAME=\"%s\" VALUE=\"Back\" >\n" - "<INPUT TYPE=SUBMIT NAME=\"Refresh\" VALUE=\"Refresh\" onclick='window.location=window.location;return false;' >" + "<INPUT TYPE=SUBMIT NAME=\"Refresh\" id='Refresh' VALUE=\"Refresh\">" "</FORM>\n" , hgtaDoMainPage); -puts("<script type=\"text/JavaScript\">"); -puts("<!--"); -puts("setTimeout(\"location = location;\",5000);"); -puts("-->"); -puts("</script>"); +jsOnEventById("click", "Refresh", "window.location=window.location;return false;"); +jsInline("setTimeout(function(){location = location;},5000);"); htmlClose(); fflush(stdout); // MD5 COMPUTE unsigned char md5[16]; /* Keep the md5 checksum here. */ md5ForFile(trashFileName,md5); char *hexMd5 = md5ToHex(md5); char *base64Md5 = base64Encode((char*)md5, 16); char *s3UploadUrl = gsUploadUrl(gsToken, user, fileName, fSize, base64Md5, contentType); char *s3Response = gsS3Upload(s3UploadUrl, trashFileName, fSize, base64Md5, hexMd5, contentType, TRUE, fileName); if (sameString(s3Response,"")) { // Reset global flags before drawing brand new page webHeadAlreadyOutputed = FALSE; webInTextMode = FALSE; includedResourceFiles = NULL; htmlWarnBoxSetUpAlready=FALSE; + jsInlineReset(); + htmlOpen("Uploaded Output to GenomeSpace"); printf("Name: %s<br>\n", fileName); printf("Size: %s<br>\n", nicenumber); printf("Output has been successfully uploaded.<br>\n"); printf("<br>"); printf("<FORM ACTION=\"/cgi-bin/hgTables\" METHOD=GET>\n" "<INPUT TYPE=SUBMIT NAME=\"%s\" VALUE=\"Back\" ></FORM>\n" , hgtaDoMainPage); htmlClose(); fflush(stdout); } //printf("s3UploadUrl [%s]", s3UploadUrl); //printf("<br>");