[Xymon] Proposed patch for broken CSP

Jonathan Trott jtrott at dancrai.com
Thu Nov 16 02:27:43 CET 2017


Hi John.

I haven't see the issue on any other pages, so your patch should hopefully 
fix the issue.

Thanks,
JT

John Thurston <john.thurston at alaska.gov> wrote on 14/11/2017 05:58:30:

> 
> I propose the following patch to correct the broken form submission on 
> the trends page:
> 
> > --- ./xymon-4.3.28/lib/cgi.c-4.3.28   Thu Mar   3 14:44:55 2016
> > +++ ./xymon-4.3.28/lib/cgi.c   Mon Nov 13 09:43:38 2017
> > @@ -275,7 +275,7 @@
> >    else if (strncmp(str, "ackinfo", 7) == 0) csppol = strdup
> ("script-src 'self'; connect-src 'self'; form-action 'self';");
> >    else if (strncmp(str, "acknowledge", 11) == 0) csppol = strdup
> ("script-src 'self'; connect-src 'self'; form-action 'self';");
> >    else if (strncmp(str, "criticaleditor", 14) == 0) csppol = 
> strdup("script-src 'self'; connect-src 'self'; form-action 'self';");
> > -   else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = 
> strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-
> action 'self'; sandbox allow-forms allow-scripts;");
> > +   else if (strncmp(str, "svcstatus-trends", 16) == 0) csppol = 
> strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-
> action 'self'; sandbox allow-forms allow-scripts allow-same-origin;");
> >    else if (strncmp(str, "svcstatus-info", 14) == 0) csppol = 
> strdup("script-src 'self' 'unsafe-inline'; connect-src 'self'; form-
> action 'self'; sandbox allow-forms allow-same-origin allow-scripts 
> allow-modals allow-popups;");
> >    else if (strncmp(str, "svcstatus", 9) == 0) csppol = strdup
> ("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox
> allow-forms allow-same-origin;");
> >    else if (strncmp(str, "historylog", 10) == 0) csppol = strdup
> ("script-src 'self'; connect-src 'self'; form-action 'self'; sandbox
> allow-forms;");
> 
> Has anyone found other incorrect CSP headers ?
> 
>     Do things because you should, not just because you can.
> 
> John Thurston    907-465-8591
> John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20171116/025ab942/attachment.html>


More information about the Xymon mailing list