diff --git a/.gitpod.yml b/.gitpod.yml index b7cd027..fdc95a8 100644 --- a/.gitpod.yml +++ b/.gitpod.yml @@ -41,7 +41,7 @@ tasks: echo "$(tput setaf 2)Full webserver url$(tput sgr0) $(tput setaf 4)$WEBSERVER_URL$(tput sgr0)"; echo "$(tput setaf 2)Allerta username$(tput sgr0) $(tput setaf 4)admin$(tput sgr0)"; echo "$(tput setaf 2)Allerta password$(tput sgr0) $(tput setaf 4)password$(tput sgr0)"; - echo "$(tput setaf 2)PHP Adminer url$(tput sgr0) $(tput setaf 4)$WEBSERVER_URL/adminer.php$(tput sgr0)"; + echo "$(tput setaf 2)PHP Adminer$(tput sgr0) $(tput setaf 4)$WEBSERVER_URL/adminer.php$(tput sgr0)"; echo "$(tput setaf 2)DB user$(tput sgr0) $(tput setaf 4)allerta$(tput sgr0)"; echo "$(tput setaf 2)DB password$(tput sgr0) $(tput setaf 4)allerta_pwd$(tput sgr0)"; echo "$(tput setaf 2)DB name$(tput sgr0) $(tput setaf 4)allerta$(tput sgr0)"; diff --git a/server/composer.json b/server/composer.json index 66ffd01..d1fcc69 100644 --- a/server/composer.json +++ b/server/composer.json @@ -6,6 +6,10 @@ { "type": "vcs", "url": "https://github.com/allerta-vvf/tiny-html-minifier" + }, + { + "type": "vcs", + "url": "https://github.com/allerta-vvf/php-debugbar" } ], "require": { @@ -17,7 +21,7 @@ "ezyang/htmlpurifier": "^4.13", "brick/phonenumber": "^0.2.2", "sentry/sdk": "^3.1", - "maximebf/debugbar": "^1.16", + "maximebf/debugbar": "dev-master", "azuyalabs/yasumi": "^2.4", "ministryofweb/php-osm-tiles": "^2.0", "jenstornell/tiny-html-minifier": "dev-master", diff --git a/server/composer.lock b/server/composer.lock index b119876..57dcfdb 100644 --- a/server/composer.lock +++ b/server/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b75ca84c59d5468883ebe8a230f59fe9", + "content-hash": "4c5225e9eaf82f46758dd24bc5717c7d", "packages": [ { "name": "azuyalabs/yasumi", @@ -876,16 +876,16 @@ }, { "name": "maximebf/debugbar", - "version": "v1.16.5", + "version": "dev-master", "source": { "type": "git", - "url": "https://github.com/maximebf/php-debugbar.git", - "reference": "6d51ee9e94cff14412783785e79a4e7ef97b9d62" + "url": "https://github.com/allerta-vvf/php-debugbar.git", + "reference": "f9b3c4b7c1a79db817435d3817c3a997101fefa9" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/maximebf/php-debugbar/zipball/6d51ee9e94cff14412783785e79a4e7ef97b9d62", - "reference": "6d51ee9e94cff14412783785e79a4e7ef97b9d62", + "url": "https://api.github.com/repos/allerta-vvf/php-debugbar/zipball/f9b3c4b7c1a79db817435d3817c3a997101fefa9", + "reference": "f9b3c4b7c1a79db817435d3817c3a997101fefa9", "shasum": "" }, "require": { @@ -901,6 +901,7 @@ "monolog/monolog": "Log using Monolog", "predis/predis": "Redis storage" }, + "default-branch": true, "type": "library", "extra": { "branch-alias": { @@ -912,7 +913,6 @@ "DebugBar\\": "src/DebugBar/" } }, - "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], @@ -934,10 +934,9 @@ "debugbar" ], "support": { - "issues": "https://github.com/maximebf/php-debugbar/issues", - "source": "https://github.com/maximebf/php-debugbar/tree/v1.16.5" + "source": "https://github.com/allerta-vvf/php-debugbar/tree/master" }, - "time": "2020-12-07T11:07:24+00:00" + "time": "2021-05-27T13:04:53+00:00" }, { "name": "ministryofweb/php-osm-tiles", @@ -998,12 +997,12 @@ "source": { "type": "git", "url": "https://github.com/nikic/FastRoute.git", - "reference": "b5543adef5e16738471a52fdf55ff802edf1141d" + "reference": "dafa1911fd7c1560c64d19556cbd4c599fed15ea" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/nikic/FastRoute/zipball/b5543adef5e16738471a52fdf55ff802edf1141d", - "reference": "b5543adef5e16738471a52fdf55ff802edf1141d", + "url": "https://api.github.com/repos/nikic/FastRoute/zipball/dafa1911fd7c1560c64d19556cbd4c599fed15ea", + "reference": "dafa1911fd7c1560c64d19556cbd4c599fed15ea", "shasum": "" }, "require": { @@ -1011,7 +1010,7 @@ }, "require-dev": { "doctrine/coding-standard": "^9.0", - "phpbench/phpbench": "^1.0@beta", + "phpbench/phpbench": "^1.0", "phpstan/extension-installer": "^1.0", "phpstan/phpstan": "^0.12", "phpstan/phpstan-deprecation-rules": "^0.12", @@ -1053,7 +1052,7 @@ "issues": "https://github.com/nikic/FastRoute/issues", "source": "https://github.com/nikic/FastRoute/tree/master" }, - "time": "2021-04-27T09:57:16+00:00" + "time": "2021-05-24T09:28:21+00:00" }, { "name": "php-http/client-common", @@ -3135,6 +3134,7 @@ "minimum-stability": "stable", "stability-flags": { "nikic/fast-route": 20, + "maximebf/debugbar": 20, "jenstornell/tiny-html-minifier": 20 }, "prefer-stable": false, diff --git a/server/core.php b/server/core.php index 03221e2..f6d52c8 100644 --- a/server/core.php +++ b/server/core.php @@ -48,7 +48,17 @@ class tools { $this->db = $db; $this->profiler_enabled = $profiler_enabled; - $this->script_nonce = $this->generateNonce(16); + if(defined("UI_MODE")){ + if(isset($_SESSION["script_nonce"]) && ( + (isset($_SERVER["HTTP_X_PJAX"]) || isset($_GET["X_PJAX"]) || isset($_GET["_PJAX"])) || + strpos($_SERVER['REQUEST_URI'], "edit_") + )){ + $this->script_nonce = $_SESSION["script_nonce"]; + } else { + $this->script_nonce = $this->generateNonce(16); + $_SESSION["script_nonce"] = $this->script_nonce; + } + } } public function validate_form($data, $expected_value=null, $data_source=null) @@ -909,12 +919,13 @@ function init_class($enableDebugger=true, $headers=true) if($headers) { //TODO adding require-trusted-types-for 'script'; + $script_nonce_csp = defined("UI_MODE") ? "'nonce-{$tools->script_nonce}' " : ""; $csp_rules = [ "default-src 'self' data: *.tile.openstreetmap.org nominatim.openstreetmap.org", "connect-src 'self' *.sentry.io nominatim.openstreetmap.org", - "script-src 'nonce-{$tools->script_nonce}' 'self'", + "script-src {$script_nonce_csp}'self' 'unsafe-eval'", "img-src 'self' data: *.tile.openstreetmap.org", - "object-src", + "object-src 'self'", "style-src 'self' 'unsafe-inline'", "base-uri 'self'" ]; diff --git a/server/error_page.php b/server/error_page.php index e01df0b..17ee5cf 100644 --- a/server/error_page.php +++ b/server/error_page.php @@ -1,6 +1,6 @@ script_nonce; + } catch (\Exception $e) { + } ?>

Error page based on work by . - - + + auth->getUserId(); $result = $db->select("SELECT * FROM `".DB_PREFIX."_schedules` WHERE `user`={$user_id}"); if(!empty($result)){ @@ -140,7 +142,15 @@ $holidays_select_none = t("Remove selections", false); echo(<< - {$holidays_select_all} / {$holidays_select_none} + {$holidays_select_all} / {$holidays_select_none} + EOL); $i = 0; @@ -161,9 +171,9 @@ EOT); echo(""); ?> - {# /Menu #} {% endblock %} {% endif %} diff --git a/server/templates/edit_service.html b/server/templates/edit_service.html index 94d8bfa..7862f81 100644 --- a/server/templates/edit_service.html +++ b/server/templates/edit_service.html @@ -86,14 +86,21 @@
- + +
- {{ script('maps.js', 'allertaJS.maps.loadMap();') }} + + {{ script('maps.js') }} {% else %}
@@ -154,7 +161,9 @@ {% if service.modalità == "edit" %} {% if option('use_location_picker') %} {% set place = values.place|split('#')[0] %} - allertaJS.maps.setMarker(new L.LatLng({{place|split(';')[0]}}, {{place|split(';')[1]}}), true); + $(function(){ + allertaJS.maps.setMarker(new L.LatLng({{place|split(';')[0]}}, {{place|split(';')[1]}}), true); + }); {% endif %} $.each('{{ values.chief }}'.split(','), function (index, value) { $('.chief-' + value).prop('checked', true); @@ -208,4 +217,4 @@ {% block footer %} {% endblock %} -{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/server/templates/edit_training.html b/server/templates/edit_training.html index da121aa..890d885 100644 --- a/server/templates/edit_training.html +++ b/server/templates/edit_training.html @@ -70,14 +70,21 @@
- + +
- {{ script('maps.js', 'allertaJS.maps.loadMap();') }} + + {{ script('maps.js') }} {% else %}
@@ -100,7 +107,9 @@ {% if training.modalità == "edit" %} {% if option('use_location_picker') %} {% set place = values.place|split('#')[0] %} - allertaJS.maps.setMarker(new L.LatLng({{place|split(';')[0]}}, {{place|split(';')[1]}}), true); + $(function(){ + allertaJS.maps.setMarker(new L.LatLng({{place|split(';')[0]}}, {{place|split(';')[1]}}), true); + }); {% endif %} $.each('{{ values.chief|striptags|e("js") }}'.split(','), function (index, value) { $('.chief-' + value).prop('checked', true); diff --git a/server/templates/list.html b/server/templates/list.html index 544f0d7..a29d9b1 100644 --- a/server/templates/list.html +++ b/server/templates/list.html @@ -36,9 +36,8 @@

{{ 'Are you available in case of alert?'|t }}

- - + +
diff --git a/server/ui.php b/server/ui.php index 99c1717..14eac0b 100644 --- a/server/ui.php +++ b/server/ui.php @@ -1,4 +1,5 @@ disableVendor("jquery"); $debugbarRenderer->setEnableJqueryNoConflict(false); $debugbarRenderer->setOpenHandlerUrl('debug_open.php'); + $debugbarRenderer->setJSNonce($nonce); } else { $enable_debugbar = false; } @@ -95,15 +97,12 @@ $function_resource = new \Twig\TwigFunction( $twig->addFunction($function_resource); $function_script = new \Twig\TwigFunction( - 'script', function ($file, $onLoad=false) { + 'script', function ($file) { global $nonce, $url_software, $webpack_manifest; $script_url = $url_software . "/resources/dist/" . $webpack_manifest[$file]["src"]; $script_integrity = $webpack_manifest[$file]["integrity"]; $script_tag = "