From: Jakub Vrana <jakub@vrana.cz>
Date: Sat, 13 Jan 2018 21:17:00 +0000 (+0100)
Subject: Disallow scripts without nonce
X-Git-Tag: v4.4.0~19
X-Git-Url: https://git.joonet.de/?a=commitdiff_plain;h=80d030f51a9323b7ab774641ffdb4d2752e3753d;p=adminer.git

Disallow scripts without nonce
---

diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php
index aed9e0e3..736889eb 100644
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -420,7 +420,7 @@ class Adminer {
 		echo "<fieldset><legend>" . lang('Action') . "</legend><div>";
 		echo "<input type='submit' value='" . lang('Select') . "'>";
 		echo " <span id='noindex' title='" . lang('Full table scan') . "'></span>";
-		echo "<script>\n";
+		echo "<script" . nonce() . ">\n";
 		echo "var indexColumns = ";
 		$columns = array();
 		foreach ($indexes as $index) {
@@ -897,7 +897,7 @@ class Adminer {
 			if (support("sql")) {
 				echo script_src("../externals/jush/modules/jush-$jush.js");
 				?>
-<script>
+<script<?php echo nonce(); ?>>
 <?php
 				if ($tables) {
 					$links = array();
diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php
index 4fc6842c..eea72ed0 100644
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -33,7 +33,7 @@ function page_header($title, $error = "", $breadcrumb = array(), $title2 = "") {
 <?php } ?>
 
 <body class="<?php echo lang('ltr'); ?> nojs">
-<script>
+<script<?php echo nonce(); ?>>
 mixin(document.body, {onkeydown: bodyKeydown, onclick: bodyClick<?php echo (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '$VERSION')"); ?>});
 document.body.className = document.body.className.replace(/ nojs/, ' js');
 var offlineMessage = '<?php echo js_escape(lang('You are offline.')); ?>';
@@ -109,7 +109,7 @@ function page_headers() {
 function csp() {
 	return array(
 		"default-src" => "'none'",
-		"script-src" => "'self' 'unsafe-inline'",
+		"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
 		"style-src" => "'self' 'unsafe-inline'",
 		"connect-src" => "'self'",
 		"img-src" => "'self' data:",
@@ -118,6 +118,17 @@ function csp() {
 	);
 }
 
+/** Get a CSP nonce
+* @return string Base64 value
+*/
+function get_nonce() {
+	static $nonce;
+	if (!$nonce) {
+		$nonce = base64_encode(rand_string());
+	}
+	return $nonce;
+}
+
 /** Print flash and error messages
 * @param string
 * @return null
diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
index 6cfc0108..44722724 100644
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -87,7 +87,7 @@ function charset($connection) {
 * @return string
 */
 function script($source, $trailing = "\n") {
-	return "<script>$source</script>$trailing";
+	return "<script" . nonce() . ">$source</script>$trailing";
 }
 
 /** Return <script src> element
@@ -95,7 +95,14 @@ function script($source, $trailing = "\n") {
 * @return string
 */
 function script_src($url) {
-	return "<script src='" . h($url) . "'></script>\n";
+	return "<script src='" . h($url) . "'" . nonce() . "></script>\n";
+}
+
+/** Get a nonce="" attribute with CSP nonce
+* @return string
+*/
+function nonce() {
+	return ' nonce="' . get_nonce() . '"';
 }
 
 /** Escape for HTML
@@ -1242,7 +1249,7 @@ function slow_query($query) {
 	if (support("kill") && is_object($connection2 = connect()) && ($db == "" || $connection2->select_db($db))) {
 		$kill = $connection2->result(connection_id()); // MySQL and MySQLi can use thread_id but it's not in PDO_MySQL
 		?>
-<script>
+<script<?php echo nonce(); ?>>
 var timeout = setTimeout(function () {
 	ajax('<?php echo js_escape(ME); ?>script=kill', function () {
 	}, 'token=<?php echo $token; ?>&kill=<?php echo $kill; ?>');
diff --git a/adminer/include/version.inc.php b/adminer/include/version.inc.php
index 98e72eac..63110a0e 100644
--- a/adminer/include/version.inc.php
+++ b/adminer/include/version.inc.php
@@ -1,2 +1,2 @@
 <?php
-$VERSION = "4.3.2-dev";
+$VERSION = "4.4.0-dev";
diff --git a/adminer/schema.inc.php b/adminer/schema.inc.php
index dfb4c402..f092d88c 100644
--- a/adminer/schema.inc.php
+++ b/adminer/schema.inc.php
@@ -49,7 +49,7 @@ foreach (table_status('', true) as $table => $table_status) {
 
 ?>
 <div id="schema" style="height: <?php echo $top; ?>em;">
-<script>
+<script<?php echo nonce(); ?>>
 qs('#schema').onselectstart = function () { return false; };
 var tablePos = {<?php echo implode(",", $table_pos_js) . "\n"; ?>};
 var em = qs('#schema').offsetHeight / <?php echo $top; ?>;
diff --git a/changes.txt b/changes.txt
index 093ca329..6bdd60ad 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,5 +1,6 @@
-Adminer 4.3.2-dev:
+Adminer 4.4.0-dev:
 Add Content Security Policy
+Disallow scripts without nonce
 Add nosniff header
 PHP 7.1: Prevent warning when using empty limit
 MySQL: Remove dedicated view for replication status (added in 4.3.0)
diff --git a/plugins/login-sqlite.php b/plugins/login-sqlite.php
index 1d8bf0b8..2370a098 100644
--- a/plugins/login-sqlite.php
+++ b/plugins/login-sqlite.php
@@ -14,7 +14,7 @@ class AdminerLoginSqlite {
 
 	function loginForm() {
 		?>
-<script>
+<script<?php echo nonce(); ?>>
 addEventListener('load', function () {
 	var driver = qs('name="auth[driver]"');
 	if (isTag(driver, 'select')) {
diff --git a/plugins/tables-filter.php b/plugins/tables-filter.php
index 773d4d96..ada866b0 100644
--- a/plugins/tables-filter.php
+++ b/plugins/tables-filter.php
@@ -24,7 +24,7 @@ foreach ($tables as $table => $status) {
 }
 ?>
 </ul>
-<script>
+<script<?php echo nonce(); ?>>
 var tablesFilterTimeout = null;
 var tablesFilterValue = '';
 
diff --git a/plugins/tinymce.php b/plugins/tinymce.php
index 59620a01..5190b1c8 100644
--- a/plugins/tinymce.php
+++ b/plugins/tinymce.php
@@ -29,7 +29,7 @@ class AdminerTinymce {
 		}
 		echo script_src($this->path);
 		?>
-<script>
+<script<?php echo nonce(); ?>>
 tinyMCE.init({
 	mode: 'none',
 	theme: 'advanced',