Merge pull request #16380 from Dreamsorcerer/patch-1

Allow use of server var for CSP nonce
nextcloud · Jul 18, 2019 · 057e88e · 057e88e
2 parents 940a313 + ea935f6
commit 057e88e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -58,7 +58,11 @@ public function __construct(CsrfTokenManager $csrfTokenManager,
 	 */
 	public function getNonce(): string {
 		if($this->nonce === '') {
-			$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+			if (empty($this->request->server['CSP_NONCE'])) {
+				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+			} else {
+				$this->nonce = $this->request->server['CSP_NONCE'];
+			}
 		}
 
 		return $this->nonce;

diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php
@@ -21,23 +21,26 @@
 
 namespace Test\Security\CSP;
 
+use OC\AppFramework\Http\Request;
 use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OC\Security\CSRF\CsrfToken;
 use OC\Security\CSRF\CsrfTokenManager;
-use OCP\IRequest;
 use Test\TestCase;
 
 class ContentSecurityPolicyNonceManagerTest extends TestCase  {
 	/** @var CsrfTokenManager */
 	private $csrfTokenManager;
+	/** @var Request */
+	private $request;
 	/** @var ContentSecurityPolicyNonceManager */
 	private $nonceManager;
 
 	public function setUp() {
 		$this->csrfTokenManager = $this->createMock(CsrfTokenManager::class);
+		$this->request = $this->createMock(Request::class);
 		$this->nonceManager = new ContentSecurityPolicyNonceManager(
 			$this->csrfTokenManager,
-			$this->createMock(IRequest::class)
+			$this->request
 		);
 	}
 
@@ -56,4 +59,20 @@ public function testGetNonce() {
 		$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
 		$this->assertSame('TXlUb2tlbg==', $this->nonceManager->getNonce());
 	}
+
+	public function testGetNonceServerVar() {
+		$token = 'SERVERNONCE';
+		$this->request
+			->method('__isset')
+			->with('server')
+			->willReturn(true);
+
+		$this->request
+			->method('__get')
+			->with('server')
+			->willReturn(['CSP_NONCE' => $token]);
+
+		$this->assertSame($token, $this->nonceManager->getNonce());
+		$this->assertSame($token, $this->nonceManager->getNonce());
+	}
 }