smeserver/smeserver-manager
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Mon Dec 30 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-33.sme

Browse Source 
- host locally flag-icon.min.css 3.5.0 [SME: 12845]
- remove onclick to comply with strict CSP [SME: 12846]
- add CSP rules with specific hash [SME: 12840]
This commit is contained in:
Jean-Philippe Pialasse 2024-12-31 01:25:04 -05:00
parent b58f82a332
commit 58c3f2348a
17 changed files with 119 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27SManagerProxyPass
View File

@ -39,7 +39,13 @@
$OUT .= "# private access by default\n";
$OUT .= " Require ip $localAccess $externalSSLAccess\n";
}
$OUT .= " </Location>\n";
# any smanager script or style added in line should be hashed and added here to run in a modern browser
$OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' "
." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' ; "
." style-src 'self' 'unsafe-hashes' "
." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' 'sha256-a1tyxi1vRpW2Q9+0hM+nBA250/jWJlJdeR43c5r90PI=' 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' 'sha256-2iGOQeZyvW9G2X+8IhZDG+GPRpXQTxUg/2QxdI+dyEg=' 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' 'sha256-2iGOQeZyvW9G2X+8IhZDG+GPRpXQTxUg/2QxdI+dyEg=' ;"
." \"\n";
$OUT .= " </Location>\n";
# prevent caching of manager files in browser
$OUT .= " <LocationMatch \"/$place/.+\.(html|cgi)\$\">\n";
$OUT .= " Header set Cache-Control no-store\n";

1
root/usr/share/smanager/themes/default/public/css/flag-icon.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

2
root/usr/share/smanager/themes/default/templates/layouts/default.html.ep
View File

@ -33,7 +33,7 @@
%= javascript '/js/buttons.print.min.js'
%= javascript '/js/flag-by-locale.js'
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/flag-icon-css/3.5.0/css/flag-icon.min.css">
<link rel="stylesheet" href="/smanager/css/flag-icon.min.css">
%= stylesheet '/css/sme-jquery-overrides.css'
<style>

10
root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep
View File

@ -51,10 +51,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $domain_name = $domain->{Domain}; # Domain name extracted from the data structure
%my $actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='domains2?CsrfDef=$csrf_token&trt=UPD&Domain=$domain_name'">
% <a href="domains2?CsrfDef=$csrf_token&trt=UPD&Domain=$domain_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
%my $removable = ($domain->{Removable} || 'yes');
%my $actionRemove = '&nbsp;';
@ -63,10 +64,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $domain_name = $domain->{Domain}; # Domain name extracted from the data structure
%$actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='domains2?CsrfDef=$csrf_token&trt=DEL&Domain=$domain_name'">
% <a href="domains2?CsrfDef=$csrf_token&trt=DEL&Domain=$domain_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
%# $actionRemove = "<a href='domains2?CsrfDef=TOKEN&trt=DEL&Domain=" . $domain->{Domain} . "'>" . "<button class='sme-remove-button' title=".l('REMOVE').">".l('REMOVE')."</button>" . "</a>";
%};

10
root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep
View File

@ -43,19 +43,21 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $group_name = $group->key; # group name extracted from the data structure
%my $actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='groups2?CsrfDef=$csrf_token&trt=UPD&group=$group_name'">
% <a href="groups2?CsrfDef=$csrf_token&trt=UPD&group=$group_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
%my $remove_text = l('REMOVE'); # Localized text
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $group_name = $group->key; # group name extracted from the data structure
%my $actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='groups2?CsrfDef=$csrf_token&trt=DEL&group=$group_name'">
% <a href="groups2?CsrfDef=$csrf_token&trt=DEL&group=$group_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
<%= $c->render_to_string(inline => $actionModify) %> <%= $c->render_to_string(inline => $actionRemove) %>
</td>

10
root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep
View File

@ -57,19 +57,21 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $hostentries_name = $_->{'HostName'}; # hostentries name extracted from the data structure
%$actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='hostentriesd?CsrfDef=$csrf_token&trt=UPD&Hostname=$hostentries_name'">
% <a href="hostentriesd?CsrfDef=$csrf_token&trt=UPD&Hostname=$hostentries_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
%my $remove_text = l('REMOVE'); # Localized text
%my $csrf_token = "TOKEN"; # CSRF token for security
%#my $hostentries_name = $_->{'HostName'}; # hostentries name extracted from the data structure
%$actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='hostentriesd?CsrfDef=$csrf_token&trt=DEL&Hostname=$hostentries_name'">
% <a href="hostentriesd?CsrfDef=$csrf_token&trt=DEL&Hostname=$hostentries_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
%}
<%= $c->render_to_string(inline => $actionModify) %> <%= $c->render_to_string(inline => $actionRemove) %>

20
root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep
View File

@ -53,10 +53,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $ibays_entry_name = $ibay->key; # ibays_entry name extracted from the data structure
%$actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='ibaysd?CsrfDef=$csrf_token&trt=UPD&ibay=$ibays_entry_name'">
% <a href="ibaysd?CsrfDef=$csrf_token&trt=UPD&ibay=$ibays_entry_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
%}
@ -66,17 +67,19 @@
%my $ibays_entry_name = $ibay->key; # ibays_entry name extracted from the data structure
%if ($ibay->prop('PasswordSet') ne 'yes' && $needPassword) {
%$actionResetPw = qq{
% <button type='button' class='sme-password-button unset' title="$password_text - currently unset" style = background:pink;
% onclick="window.location.href='ibaysd?CsrfDef=$csrf_token&trt=PWD&ibay=$ibays_entry_name'">
% <a href="ibaysd?CsrfDef=$csrf_token&trt=PWD&ibay=$ibays_entry_name">
% <button type='button' class='sme-password-button unset' title="$password_text - currently unset" style = background:pink; >
% $password_text
% </button>
% </a>
%};
%} else {
%$actionResetPw = qq{
% <button type='button' class='sme-password-button' title='$password_text'
% onclick="window.location.href='ibaysd?CsrfDef=$csrf_token&trt=PWD&ibay=$ibays_entry_name'">
% <a href="ibaysd?CsrfDef=$csrf_token&trt=PWD&ibay=$ibays_entry_name">
% <button type='button' class='sme-password-button' title='$password_text' >
% $password_text
% </button>
% </a>
%};
%}
@ -87,10 +90,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $ibays_entry_name = $ibay->key; # ibays_entry name extracted from the data structure
%$actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='ibaysd?CsrfDef=$csrf_token&trt=DEL&ibays=$ibays_entry_name'">
% <a href="ibaysd?CsrfDef=$csrf_token&trt=DEL&ibays=$ibays_entry_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
%}
<%= $c->render_to_string(inline => $actionModify) %>

8
root/usr/share/smanager/themes/default/templates/partials/_lets_CHECKALLDOMAINS.html.ep
View File

@ -30,7 +30,13 @@
</span><br>
<span class='data'>
%= submit_button l('lets_Back'), class => 'action back', onclick =>'history.back()'
%my $back_text = l('lets_Back'); # Localized text
%my $actionBack = qq{
% <a href="letsencryptd">
% <input class='action back' type='submit' value='$back_text'>
% </a>
%};
<%= $c->render_to_string(inline => $actionBack) %>
</span>

8
root/usr/share/smanager/themes/default/templates/partials/_lets_CHECKALLENABLEDDOMAINS.html.ep
View File

@ -30,7 +30,13 @@
</span><br>
<span class='data'>
%= submit_button l('lets_Back'), class => 'action back', onclick =>'history.back()'
%my $back_text = l('lets_Back'); # Localized text
%my $actionBack = qq{
% <a href="letsencryptd">
% <input class='action back' type='submit' value='$back_text'>
% </a>
%};
<%= $c->render_to_string(inline => $actionBack) %>
</span>

8
root/usr/share/smanager/themes/default/templates/partials/_lets_CHECKONEDOMAIN.html.ep
View File

@ -37,7 +37,13 @@
</span><br>
<span class='data'>
%= submit_button l('lets_Back'), class => 'action back', onclick =>'history.back()'
%my $back_text = l('lets_Back'); # Localized text
%my $actionBack = qq{
% <a href="letsencryptd">
% <input class='action back' type='submit' value='$back_text'>
% </a>
%};
<%= $c->render_to_string(inline => $actionBack) %>
</span>

5
root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep
View File

@ -89,10 +89,11 @@
%my $local_network_entry = $localnetwork->key;
%my $csrf_token = "TOKEN"; # CSRF token for security
%$actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='localnetworksd?CsrfDef=$csrf_token&trt=DEL&localnetwork=$local_network_entry'">
% <a href="localnetworksd?CsrfDef=$csrf_token&trt=DEL&localnetwork=$local_network_entry">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
% }
<td class='sme-border'><%= $c->render_to_string(inline => $actionRemove) %></td>

5
root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep
View File

@ -96,10 +96,11 @@
%my $remove_text = l('REMOVE'); # Localized text
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='portforwardingd?CsrfDef=$csrf_token&trt=DEL&sport=$sport&proto=$proto'">
% <a href="portforwardingd?CsrfDef=$csrf_token&trt=DEL&sport=$sport&proto=$proto">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
<%= $c->render_to_string(inline => $actionRemove) %>
</td>

5
root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep
View File

@ -62,10 +62,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $printer_name = $printer->key;
%my $actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='printers2?CsrfDef=$csrf_token&trt=DEL&&printer=$printer_name'">
% <a href="printers2?CsrfDef=$csrf_token&trt=DEL&&printer=$printer_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
<%= $c->render_to_string(inline => $actionRemove) %>
</td>

10
root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep
View File

@ -61,10 +61,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $pseudonyms_entry_name = $pseudonym->key; # pseudonyms_entry name extracted from the data structure
%$actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='pseudonyms2?CsrfDef=$csrf_token&trt=UPD&pseudonym=$pseudonyms_entry_name'">
% <a href="pseudonyms2?CsrfDef=$csrf_token&trt=UPD&pseudonym=$pseudonyms_entry_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
%}
@ -73,10 +74,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $pseudonyms_entry_name = $pseudonym->key; # pseudonyms_entry name extracted from the data structure
%$actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='pseudonyms2?CsrfDef=$csrf_token&trt=DEL&pseudonym=$pseudonyms_entry_name'">
% <a href="pseudonyms2?CsrfDef=$csrf_token&trt=DEL&pseudonym=$pseudonyms_entry_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
%}
<%= $c->render_to_string(inline => $actionModify) %> <%= $c->render_to_string(inline => $actionRemove) %>

5
root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep
View File

@ -62,10 +62,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $quota_user_name = $user->key; # quotas_entry name extracted from the data structure
%my $actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='quotad?CsrfDef=$csrf_token&trt=UPD&user=$quota_user_name'">
% <a href="quotad?CsrfDef=$csrf_token&trt=UPD&user=$quota_user_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
<%= $c->render_to_string(inline => $actionModify) %>
</td>

35
root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep
View File

@ -66,52 +66,58 @@
%my $password_text = l("PASSWORD_RESET");
%if ($useraccounts_user_name eq 'admin') {
%$actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='useraccountsd?CsrfDef=$csrf_token&trt=UPS&user=$useraccounts_user_name'">
% <a href="useraccountsd?CsrfDef=$csrf_token&trt=UPS&user=$useraccounts_user_name">
% <button type='button' class='sme-modify-button' title='$modify_text'>
% $modify_text
% </button>
% </a>
%};
%} else {
%$actionModify = qq{
% <button type='button' class='sme-modify-button' title='$modify_text'
% onclick="window.location.href='useraccountsd?CsrfDef=$csrf_token&trt=UPD&user=$useraccounts_user_name'">
% <a href="useraccountsd?CsrfDef=$csrf_token&trt=UPD&user=$useraccounts_user_name">
% <button type='button' class='sme-modify-button' title='$modify_text' >
% $modify_text
% </button>
% </a>
%};
%}
%if ($password_set ne 'yes') {
%$actionLock = l('ACCOUNT_LOCKED');
%$actionResetPw = qq{
% <button type='button' class='sme-password-button unset' title="$password_text - currently unset" style = background:pink;
% onclick="window.location.href='useraccountsd?CsrfDef=$csrf_token&trt=PWD&user=$useraccounts_user_name'">
% <a href="useraccountsd?CsrfDef=$csrf_token&trt=PWD&user=$useraccounts_user_name">
% <button type='button' class='sme-password-button unset' title="$password_text - currently unset" style = background:pink; >
% $password_text
% </button>
% </a>
%};
%} else {
%my $lock_text = l('ACCOUNT LOCKED'); # Localized text
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $useraccounts_user_name = $user->key; # useraccountss_entry name extracted from the data structure
%$actionLock = qq{
% <button type='button' class='sme-lock-button' title='$lock_text'
% onclick="window.location.href='useraccountsd?CsrfDef=$csrf_token&trt=LCK&user=$useraccounts_user_name'">
% <a href="useraccountsd?CsrfDef=$csrf_token&trt=LCK&user=$useraccounts_user_name">
% <button type='button' class='sme-lock-button' title='$lock_text' >
% $lock_text
% </button>
% </a>
%};
%$actionResetPw = qq{
% <button type='button' class='sme-password-button' title='$password_text'
% onclick="window.location.href='useraccountsd?CsrfDef=$csrf_token&trt=PWD&user=$useraccounts_user_name'">
% <a href="useraccountsd?CsrfDef=$csrf_token&trt=PWD&user=$useraccounts_user_name">
% <button type='button' class='sme-password-button' title='$password_text' >
% $password_text
% </button>
% </a>
%};
%}
%if ( $removable eq 'yes' ) {
%my $remove_text = l('REMOVE'); # Localized text
%my $csrf_token = "TOKEN"; # CSRF token for security
%$actionRemove = qq{
% <button type='button' class='sme-remove-button' title='$remove_text'
% onclick="window.location.href='useraccountsd?CsrfDef=$csrf_token&trt=DEL&user=$useraccounts_user_name'">
% <a href="useraccountsd?CsrfDef=$csrf_token&trt=DEL&user=$useraccounts_user_name">
% <button type='button' class='sme-remove-button' title='$remove_text' >
% $remove_text
% </button>
% </a>
%};
%}
@ -121,10 +127,11 @@
%my $csrf_token = "TOKEN"; # CSRF token for security
%my $useraccounts_user_name = $user->key; # useraccountss_entry name extracted from the data structure
%$actionroundcube = qq{
% <button type='button' class='sme-email-button' title='$roundcube_text'
% onclick="window.location.href='roundcubepanel?CsrfDef=$csrf_token&url=https://$thisdomain/roundcube?_user=$useraccounts_user_name'">
% <a href="roundcubepanel?CsrfDef=$csrf_token&url=https://$thisdomain/roundcube?_user=$useraccounts_user_name">
% <button type='button' class='sme-email-button' title='$roundcube_text' >
% $roundcube_text
% </button>
% </a>
%};
<td class='sme-border' style="min-width:35em">

7
smeserver-manager.spec
View File

@ -2,7 +2,7 @@ Summary: Sme server navigation module : manager 2
%define name smeserver-manager
Name: %{name}
%define version 11.0.0
%define release 32
%define release 33
Version: %{version}
Release: %{release}%{?dist}
License: GPL
@ -115,6 +115,11 @@ true
%defattr(-,root,root)
%changelog
* Mon Dec 30 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-33.sme
- host locally flag-icon.min.css 3.5.0 [SME: 12845]
- remove onclick to comply with strict CSP [SME: 12846]
- add CSP rules with specific hash [SME: 12840]
* Wed Dec 18 2024 Brian Read <brianr@koozali.org> 11.0.0-32.sme
- Fix for User and localnetwork panel [SME: 6278]
- Fix menu entry for proxy to stop it moving