Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix CI

Browse Source
This commit is contained in:
Hystepik 2025-02-10 10:27:06 +01:00
parent b3d80ea432
commit bc54d4c6cf
3 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
htdocs/core/website.inc.php
View File

@ -167,7 +167,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
}
// Content-Security-Policy
if (!defined('WEBSITE_'.$object->id.'_SECURITY_FORCECSP')) {
if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCECSP')) {
// A default security policy that keep usage of js external component like ckeditor, stripe, google, working
// For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
// default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
@ -178,7 +178,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
//
// $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
// $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
$contentsecuritypolicy = getDolGlobalString('WEBSITE_'.$object->id.'_SECURITY_FORCECSP');
$contentsecuritypolicy = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCECSP');
if (!is_object($hookmanager)) {
include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
@ -200,32 +200,32 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
}
// Referrer-Policy
if (!defined('WEBSITE_'.$object->id.'_SECURITY_FORCERP')) {
if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCERP')) {
// The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
// For public web sites, we use the same default value than "strict-origin-when-cross-origin"
$referrerpolicy = getDolGlobalString('WEBSITE_'.$object->id.'_SECURITY_FORCERP', "strict-origin-when-cross-origin");
$referrerpolicy = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCERP', "strict-origin-when-cross-origin");
header("Referrer-Policy: ".$referrerpolicy);
}
// Strict-Transport-Security
if (!defined('WEBSITE_'.$object->id.'_SECURITY_FORCESTS')) {
if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCESTS')) {
// The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
// Example: "max-age=31536000; includeSubDomains"
$sts = getDolGlobalString('WEBSITE_'.$object->id.'_SECURITY_FORCESTS');
$sts = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCESTS');
if (!empty($sts)) {
header("Strict-Transport-Security: ".$sts);
}
}
// Permissions-Policy (old name was Feature-Policy)
if (!defined('WEBSITE_'.$object->id.'_SECURITY_FORCEPP')) {
if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCEPP')) {
// The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
// Example: "camera: 'none'; microphone: 'none';"
$pp = getDolGlobalString('WEBSITE_'.$object->id.'_SECURITY_FORCEPP');
$pp = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCEPP');
if (!empty($pp)) {
header("Permissions-Policy: ".$pp);
}

2
htdocs/website/index.php
View File

@ -2984,7 +2984,7 @@ if ($action == 'removecspsource' && $usercanedit) {
if (empty($directive)) {
$error++;
}
if ($error || (!isset($sourcekey) && $directivesarray[$directive]["data-directivetype"] != "none")) {
if ($error || (!is_null($sourcekey) && $directivesarray[$directive]["data-directivetype"] != "none")) {
$error++;
}

10
htdocs/website/lib/website.lib.php
View File

@ -28,7 +28,7 @@
* Prepare array of tabs for Website
*
* @param Website $object Website
* @return array Array of tabs
* @return array<array{0:string,1:string,2:string}> Array of tabs
*/
function websiteconfigPrepareHead($object)
{
@ -94,7 +94,7 @@ function websiteconfigPrepareHead($object)
/**
* Prepare array of directives for Website
*
* @return array Array of directives
* @return array<array{string:array{string:string}}> Array of directives
*/
function websiteGetContentPolicyDirectives()
{
@ -136,7 +136,7 @@ function websiteGetContentPolicyDirectives()
/**
* Prepare array of sources for Website
*
* @return array Array of sources
* @return array<array{string:array{string:array{string:string}}}> Array of sources
*/
function websiteGetContentPolicySources()
{
@ -190,7 +190,7 @@ function websiteGetContentPolicySources()
* Transform a Content Security Policy to an array
* @param string $forceCSP content security policy
*
* @return array Array of sources
* @return array<array{string:array{"data":array{int:string},int:string}}> Array of sources
*/
function websiteGetContentPolicyToArray($forceCSP)
{
@ -220,7 +220,7 @@ function websiteGetContentPolicyToArray($forceCSP)
$forceCSPArr[$directive] = array();
} else {
//Loop on each sources to add to the right directive array key
foreach ($sources as $key => $source) {
foreach ($sources as $key2 => $source) {
$source = str_replace(":", "", $source);
$source = str_replace("'", "", $source);