Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#28353] - [4.0] Fix notice when script hashes enabled

? Pending

User tests: Successful: Unsuccessful:

avatar wilsonge
wilsonge
15 Mar 2020

Summary of Changes

Fixes CSP Notice when script hashes enabled. This was caused by #25357 which made the script content an array of scripts which we now need to loop through.

Testing Instructions

Setup CSP Component Configuration as follows:
image

then navigate to the article list view.

Expected result

No PHP Warning

Actual result

Warning
: hash() expects parameter 2 to be string, array given in
JROOT/plugins/system/httpheaders/httpheaders.php
on line
164

Documentation Changes Required

None

avatar wilsonge wilsonge - open - 15 Mar 2020
avatar wilsonge wilsonge - change - 15 Mar 2020
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 15 Mar 2020
Category Front End Plugins
avatar wilsonge wilsonge - change - 15 Mar 2020
Title
Fix notice when script hashes enabled
[4.0] Fix notice when script hashes enabled
avatar wilsonge wilsonge - edited - 15 Mar 2020
avatar SharkyKZ
SharkyKZ - comment - 15 Mar 2020

This fixes the notice but functionality is still broken. Hashes don't match because renderer adds line breaks and tabs to inline scripts/styles.

avatar wilsonge
wilsonge - comment - 15 Mar 2020

This fixes the notice but functionality is still broken. Hashes don't match because renderer adds line breaks and tabs to inline scripts/styles.

How do I reproduce. As far as I can see at a glance - the inline styles etc are being blocked but I struggling to prove whether the hash's are correct or not?

avatar SharkyKZ
SharkyKZ - comment - 15 Mar 2020

Enable hashes and add script-src and style-src directives with self value. Inline scripts/styles added with Document API are blocked but they shouldn't be.

avatar wilsonge
wilsonge - comment - 23 Mar 2020

@zero-24 I need you to look into this. I can't figure out what's going on here

avatar zero-24
zero-24 - comment - 24 Mar 2020

Well it is that the API does not longer return the actual style & script information. I think we have two ways around that. One would be that we fix the API correctly returns the script to be added in the end. The other way would be that we add the missing parts our self to the script to get the correct hash within the plugin code.

@SharkyKZ found the reason here: #26505 (comment)

Since #25357 rendered scripts/styles have formatting added to them. But the hash is generated from scripts/styles without formatting. So the hashes don't match scripts/styles that appear on the page.

Assuming SRI works on pages with MIME type other than text/html, this was actually broken since the beginning because we wrap code in CDATA on such pages:

joomla-cms/libraries/src/Document/Renderer/Html/HeadRenderer.php

Line 231 in 56d8a35

$buffer .= $tab . $tab . '/*<![CDATA[*/' . $lnEnd;

avatar carcam
carcam - comment - 2 Apr 2020

I have tested this item successfully on 627af12

Tested successfully in a new J4 install at launch site.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28353.

avatar carcam carcam - test_item - 2 Apr 2020 - Tested successfully
avatar luisorozoli
luisorozoli - comment - 2 Apr 2020

I have tested this item successfully on 627af12

Tested OK! in J4 launch site.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28353.

avatar luisorozoli luisorozoli - test_item - 2 Apr 2020 - Tested successfully
avatar wilsonge wilsonge - change - 3 Apr 2020
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2020-04-03 16:20:35
Closed_By wilsonge
Labels Added: ?
avatar wilsonge wilsonge - close - 3 Apr 2020
avatar wilsonge wilsonge - merge - 3 Apr 2020
avatar wilsonge
wilsonge - comment - 3 Apr 2020

#28557 Issue for the fact things are broken

Add a Comment

Login with GitHub to post a comment