jandrade/BinStack
1
0
Fork 0
forked from Business/BinStack
Code Issues Pull Requests Releases Wiki Activity

Refactor and enforce Content-Security-Policy

Browse Source
This commit is contained in:
Skylar Ittner 2017-11-13 16:16:49 -07:00
parent 31cced0e48
commit 6c8d33d2f2
11 changed files with 82 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app.php
View File

@ -71,7 +71,7 @@ if (!is_empty($_GET['page'])) {
} }
?> ?>
<a class="navbar-brand" href="app.php"> <a class="navbar-brand" href="app.php">
<img style="height: 35px; padding-bottom: 12px; padding-left: 5px;" src="<?php echo $src; ?>" /> <img src="<?php echo $src; ?>" />
</a> </a>
<?php <?php
} }
@ -121,7 +121,7 @@ if (!is_empty($_GET['page'])) {
<?php <?php
if (MENU_BAR_STYLE == "fixed") { if (MENU_BAR_STYLE == "fixed") {
?> ?>
<div style="height: 75px;"></div> <div class="pad-75px"></div>
<?php <?php
} }
?> ?>

1
mobile/index.php
View File

@ -90,6 +90,7 @@ switch ($VARS['action']) {
if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) { if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
if (account_has_permission($VARS['username'], "INV_VIEW")) { if (account_has_permission($VARS['username'], "INV_VIEW")) {
doLoginUser($VARS['username'], $VARS['password']); doLoginUser($VARS['username'], $VARS['password']);
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"])); exit(json_encode(["status" => "OK"]));
} else { } else {
exit(json_encode(["status" => "ERROR", "msg" => lang("no permission", false)])); exit(json_encode(["status" => "ERROR", "msg" => lang("no permission", false)]));

2
pages/categories.php
View File

@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin(); redirectifnotloggedin();
?> ?>
<div class="btn-group" style="margin-bottom: 10px;"> <div class="btn-group mgn-btm-10px">
<a href="app.php?page=editcat" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new category"); ?></a> <a href="app.php?page=editcat" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new category"); ?></a>
</div> </div>
<table id="cattable" class="table table-bordered table-striped"> <table id="cattable" class="table table-bordered table-striped">

2
pages/editcat.php
View File

@ -59,7 +59,7 @@ if (!is_empty($VARS['id'])) {
<?php <?php
if ($editing) { if ($editing) {
?> ?>
<a href="action.php?action=deletecat&source=categories&catid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a> <a href="action.php?action=deletecat&source=categories&catid=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs pull-right mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
<?php <?php
} }
?> ?>

4
pages/edititem.php
View File

@ -129,7 +129,7 @@ if (!is_empty($VARS['id'])) {
<div class="form-group"> <div class="form-group">
<label for="code2"><i class="fa fa-qrcode"></i> <?php lang("code 2"); ?></label> <label for="code2"><i class="fa fa-qrcode"></i> <?php lang("code 2"); ?></label>
<div class="input-group"> <div class="input-group">
<input type="text" style="width: available;" class="form-control" id="code2" name="code2" placeholder="qwerty123" value="<?php echo htmlspecialchars($itemdata['code2']); ?>" /> <input type="text" class="form-control" id="code2" name="code2" placeholder="qwerty123" value="<?php echo htmlspecialchars($itemdata['code2']); ?>" />
<span class="input-group-btn mobile-app-show"> <span class="input-group-btn mobile-app-show">
<button type="button" class="btn btn-default" onclick="scancode('#code2'); return false;"><i class="fa fa-fw fa-barcode"></i></button> <button type="button" class="btn btn-default" onclick="scancode('#code2'); return false;"><i class="fa fa-fw fa-barcode"></i></button>
</span> </span>
@ -198,7 +198,7 @@ if (!is_empty($VARS['id'])) {
<?php <?php
if ($editing && !$cloning) { if ($editing && !$cloning) {
?> ?>
<a href="action.php?action=deleteitem&source=items&itemid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a> <a href="action.php?action=deleteitem&source=items&itemid=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs pull-right mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
<?php <?php
} }
?> ?>

2
pages/editloc.php
View File

@ -79,7 +79,7 @@ if (!is_empty($VARS['id'])) {
<?php <?php
if ($editing) { if ($editing) {
?> ?>
<a href="action.php?action=deleteloc&source=locations&locid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a> <a href="action.php?action=deleteloc&source=locations&locid=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs pull-right mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
<?php <?php
} }
?> ?>

4
pages/home.php
View File

@ -11,7 +11,7 @@ redirectifnotloggedin();
<h1><i class="fa fa-fw fa-cubes"></i> <?php echo $database->count('items'); ?></h1> <h1><i class="fa fa-fw fa-cubes"></i> <?php echo $database->count('items'); ?></h1>
</div> </div>
<div class="panel-footer"> <div class="panel-footer">
<a href="app.php?page=items" style="color: black;"><i class="fa fa-arrow-right"></i> <?php lang("view items"); ?></a> <a href="app.php?page=items" class="black-text"><i class="fa fa-arrow-right"></i> <?php lang("view items"); ?></a>
</div> </div>
</div> </div>
</div> </div>
@ -25,7 +25,7 @@ redirectifnotloggedin();
<h1><i class="fa fa-fw fa-tachometer"></i> <?php echo $lowcnt; ?></h1> <h1><i class="fa fa-fw fa-tachometer"></i> <?php echo $lowcnt; ?></h1>
</div> </div>
<div class="panel-footer"> <div class="panel-footer">
<a href="app.php?page=items&filter=stock" style="color: black;"><i class="fa fa-arrow-right"></i> <?php lang("view understocked"); ?></a> <a href="app.php?page=items&filter=stock" class="black-text"><i class="fa fa-arrow-right"></i> <?php lang("view understocked"); ?></a>
</div> </div>
</div> </div>
</div> </div>

6
pages/items.php
View File

@ -5,14 +5,14 @@ require_once __DIR__ . "/../lib/userinfo.php";
redirectifnotloggedin(); redirectifnotloggedin();
?> ?>
<div class="btn-group" style="margin-bottom: 10px;"> <div class="btn-group mgn-btm-10px">
<a href="app.php?page=edititem" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new item"); ?></a> <a href="app.php?page=edititem" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new item"); ?></a>
</div> </div>
<?php if ($_GET['filter'] == 'stock') { ?> <?php if ($_GET['filter'] == 'stock') { ?>
<script>var filter = "stock";</script> <script nonce="<?php echo $SECURE_NONCE; ?>">var filter = "stock";</script>
<div class="alert alert-blue-grey"><i class="fa fa-filter fa-fw"></i> <?php lang("only showing understocked"); ?> &nbsp; <a href="app.php?page=items" class="btn btn-sm btn-blue-grey"><?php lang("show all items"); ?></a></div> <div class="alert alert-blue-grey"><i class="fa fa-filter fa-fw"></i> <?php lang("only showing understocked"); ?> &nbsp; <a href="app.php?page=items" class="btn btn-sm btn-blue-grey"><?php lang("show all items"); ?></a></div>
<?php } else { <?php } else {
echo "<script>var filter = null;</script>\n"; echo "<script nonce=\"$SECURE_NONCE\">var filter = null;</script>\n";
} }
?> ?>
<table id="itemtable" class="table table-bordered table-striped"> <table id="itemtable" class="table table-bordered table-striped">

2
pages/locations.php
View File

@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin(); redirectifnotloggedin();
?> ?>
<div class="btn-group" style="margin-bottom: 10px;"> <div class="btn-group mgn-btm-10px">
<a href="app.php?page=editloc" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new location"); ?></a> <a href="app.php?page=editloc" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new location"); ?></a>
</div> </div>
<table id="loctable" class="table table-bordered table-striped"> <table id="loctable" class="table table-bordered table-striped">

47
required.php
View File

@ -10,12 +10,43 @@ header('Content-Type: text/html; charset=utf-8');
// l33t $ecurity h4x // l33t $ecurity h4x
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block'); header('X-XSS-Protection: 1; mode=block');
header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
header('X-Frame-Options: "DENY"');
header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
$SECURE_NONCE = base64_encode(random_bytes(8));
$session_length = 60 * 60; // 1 hour $session_length = 60 * 60; // 1 hour
session_set_cookie_params($session_length, "/", null, false, false); session_set_cookie_params($session_length, "/", null, false, false);
session_start(); // stick some cookies in it session_start(); // stick some cookies in it
// renew session cookie // renew session cookie
setcookie(session_name(), session_id(), time() + $session_length); setcookie(session_name(), session_id(), time() + $session_length);
if ($_SESSION['mobile'] === TRUE) {
header("Content-Security-Policy: "
. "default-src 'self';"
. "object-src 'none'; "
. "img-src * data:; "
. "media-src 'self'; "
. "frame-src 'none'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'unsafe-inline'; "
. "script-src 'self' 'unsafe-inline'");
} else {
header("Content-Security-Policy: "
. "default-src 'self';"
. "object-src 'none'; "
. "img-src * data:; "
. "media-src 'self'; "
. "frame-src 'none'; "
. "font-src 'self'; "
. "connect-src *; "
. "style-src 'self' 'nonce-$SECURE_NONCE'; "
. "script-src 'self' 'nonce-$SECURE_NONCE'");
}
// //
// Composer // Composer
require __DIR__ . '/vendor/autoload.php'; require __DIR__ . '/vendor/autoload.php';
@ -32,7 +63,21 @@ require __DIR__ . '/lang/' . LANGUAGE . ".php";
* @param string $error error message * @param string $error error message
*/ */
function sendError($error) { function sendError($error) {
die("<!DOCTYPE html><html><head><title>Error</title></head><body><h1 style='color: red; font-family: sans-serif; font-size:100%;'>" . htmlspecialchars($error) . "</h1></body></html>"); global $SECURE_NONCE;
die("<!DOCTYPE html>"
. "<meta charset=\"UTF-8\">"
. "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">"
. "<title>Error</title>"
. "<style nonce=\"" . $SECURE_NONCE . "\">"
. "h1 {color: red; font-family: sans-serif; font-size: 20px; margin-bottom: 0px;} "
. "h2 {font-family: sans-serif; font-size: 16px;} "
. "p {font-family: monospace; font-size: 14px; width: 100%; wrap-style: break-word;} "
. "i {font-size: 12px;}"
. "</style>"
. "<h1>A fatal application error has occurred.</h1>"
. "<i>(This isn't your fault.)</i>"
. "<h2>Details:</h2>"
. "<p>". htmlspecialchars($error) . "</p>");
} }
date_default_timezone_set(TIMEZONE); date_default_timezone_set(TIMEZONE);

22
static/css/app.css
View File

@ -9,6 +9,28 @@
font-size: 110%; font-size: 110%;
} }
.navbar-brand img {
height: 35px;
padding-bottom: 12px;
padding-left: 5px;
}
.pad-75px {
height: 75px;
}
.mgn-btm-10px {
margin-bottom: 10px;
}
.mgn-top-8px {
margin-top: 8px;
}
.black-text {
color: black;
}
.footer { .footer {
margin-top: 10em; margin-top: 10em;
text-align: center; text-align: center;