Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#29602] - [4.0] Issue warnings when unsafe-inline or unsafe-eval are used in auto mode

? ? ? ? Pending

User tests: Successful: Unsuccessful:

avatar zero-24
zero-24
14 Jun 2020

Summary of Changes

Issue warnings when unsafe-inline or unsafe-eval are used in auto mode

Testing Instructions

  • apply this patch
  • switch com_csp in detect mode
  • visit the frontend with eval and or inline css usage
  • publish the collected reports about unsafe-inine / unsafe-eval
  • switch com_csp to auto mode

Expected result

You get a warning as this bypasses the CSP

image

Actual result

You get no info about that bypass.

Documentation Changes Required

Yes.
https://help.joomla.org/proxy?keyref=Help40:Components_CSP_Reports_Options && https://help.joomla.org/proxy?keyref=J4.x:Http_Header_Management

Acknowledgements

Warnings / Message text based on https://csp-evaluator.withgoogle.com/
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

avatar zero-24 zero-24 - open - 14 Jun 2020
avatar zero-24 zero-24 - change - 14 Jun 2020
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 14 Jun 2020
Category Administration com_csp Language & Strings
avatar zero-24 zero-24 - change - 14 Jun 2020
The description was changed
avatar zero-24 zero-24 - edited - 14 Jun 2020
avatar zero-24 zero-24 - change - 14 Jun 2020
Labels Added: ? ? ?
avatar richard67 richard67 - change - 14 Jun 2020
The description was changed
avatar richard67 richard67 - edited - 14 Jun 2020
avatar richard67
richard67 - comment - 14 Jun 2020

@zero-24 Is it correct that I first have to change the mode from "Detect" to "Automatic" before publishing the reports? When still in detect mode I don't get the new warnings. If this is correct, then your PR works as intended.

avatar richard67
richard67 - comment - 14 Jun 2020

Ah I see I get the message also in the reverse order, when I publish the reports and then change the mode. I get them with mode change then. Makes sense to me and I think it is right.

avatar richard67 richard67 - test_item - 14 Jun 2020 - Tested successfully
avatar richard67
richard67 - comment - 14 Jun 2020

I have tested this item successfully on 701cab1

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar richard67
richard67 - comment - 14 Jun 2020

@zero-24 Maybe you should add the step to change mode from "Detect" to "Automatic" to your testing instructions. It is currently missing there. The title of the PR tells it too, so at the end I found it out. But for other testers it's maybe more easy to test then.

avatar zero-24 zero-24 - change - 14 Jun 2020
The description was changed
avatar zero-24 zero-24 - edited - 14 Jun 2020
avatar zero-24
zero-24 - comment - 14 Jun 2020

Done.

avatar richard67 richard67 - change - 14 Jun 2020
The description was changed
avatar richard67 richard67 - edited - 14 Jun 2020
avatar ceford ceford - test_item - 15 Jun 2020 - Tested successfully
avatar ceford
ceford - comment - 15 Jun 2020

I have tested this item successfully on 701cab1

I changed the image in Help4.x:Components CSP Reports Options, also appearing in J4.x:Http Header Management, for one showing the message and a list of reports.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar jwaisner jwaisner - change - 16 Jun 2020
Status Pending Ready to Commit
avatar jwaisner
jwaisner - comment - 16 Jun 2020

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar richard67
richard67 - comment - 16 Jun 2020

@jwaisner Did you notice @Quy 's review comments above?

avatar zero-24 zero-24 - change - 16 Jun 2020
Labels Added: ?
avatar richard67
richard67 - comment - 16 Jun 2020

@zero-24 After last corrections I get only with patch applied:

j4-pr-29602_error

avatar richard67
richard67 - comment - 16 Jun 2020

@Quy Seems you have forgotten to remove the closing bracket, too, in your suggested changes. See my previous review comments and the screenshot.

avatar richard67 richard67 - change - 16 Jun 2020
Status Ready to Commit Pending
avatar richard67
richard67 - comment - 16 Jun 2020

Back to pending.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar zero-24 zero-24 - change - 16 Jun 2020
Labels Removed: ?
avatar richard67 richard67 - test_item - 16 Jun 2020 - Tested successfully
avatar richard67
richard67 - comment - 16 Jun 2020

I have tested this item successfully on 38e3442

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar richard67
richard67 - comment - 16 Jun 2020

One more test needed.

avatar Quy Quy - test_item - 16 Jun 2020 - Tested successfully
avatar Quy
Quy - comment - 16 Jun 2020

I have tested this item successfully on 38e3442

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar Quy Quy - change - 16 Jun 2020
Status Pending Ready to Commit
avatar Quy
Quy - comment - 16 Jun 2020

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29602.

avatar wilsonge wilsonge - change - 16 Jun 2020
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2020-06-16 20:25:40
Closed_By wilsonge
Labels Added: ?
avatar wilsonge wilsonge - close - 16 Jun 2020
avatar wilsonge wilsonge - merge - 16 Jun 2020
avatar wilsonge
wilsonge - comment - 16 Jun 2020

Thanks!

Add a Comment

Login with GitHub to post a comment