From 1e026a625eb1727f8d78573bb66462087392010d Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Wed, 31 Aug 2022 22:59:02 +0200
Subject: [PATCH] [BUGFIX] Allow CSP inline styles in directly requested SVG
files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Using CSP directive `style-src 'unsafe-inline'` seems to be fine
for directly requested SVG files, since corresponding definitions
are bound to the corresponding resource. Loading styles from any
other external resource is still denied.
Resolves: #93884
Releases: main, 11.5, 10.4
Change-Id: Ifddf8782ecaa81bf26026ae8850d8c53b7977bd7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75594
Reviewed-by: Frank Nägler <frank.naegler@typo3.com>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
---
.../core/Classes/Controller/FileDumpController.php | 10 +++++++---
.../resources-root-htaccess | 6 +++++-
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/typo3/sysext/core/Classes/Controller/FileDumpController.php b/typo3/sysext/core/Classes/Controller/FileDumpController.php
index 99a060d4d5c1..0951fe6c75b9 100644
--- a/typo3/sysext/core/Classes/Controller/FileDumpController.php
+++ b/typo3/sysext/core/Classes/Controller/FileDumpController.php
@@ -240,9 +240,13 @@ class FileDumpController
{
$extension = PathUtility::pathinfo($file->getName(), PATHINFO_EXTENSION);
// same as in `typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess`
- $policy = $extension === 'pdf' || $response->getHeaderLine('content-type') === 'application/pdf'
- ? "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
- : "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
+ if ($extension === 'pdf' || $response->getHeaderLine('content-type') === 'application/pdf') {
+ $policy = "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;";
+ } elseif ($extension === 'svg' || $response->getHeaderLine('content-type') === 'image/svg+xml') {
+ $policy = "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';";
+ } else {
+ $policy = "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
+ }
return $response->withAddedHeader('content-security-policy', $policy);
}
}
diff --git a/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess b/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
index 5f660d0c6066..ec06e6b34528 100644
--- a/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
+++ b/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/resources-root-htaccess
@@ -7,8 +7,12 @@
<FilesMatch "\.pdf$">
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
</FilesMatch>
+ # matching requested *.svg files only (allows using inline styles when serving SVG files)
+ <FilesMatch "\.svg">
+ Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'unsafe-inline'; object-src 'none';"
+ </FilesMatch>
# matching anything else, using negative lookbehind pattern
- <FilesMatch "(?<!\.pdf)$">
+ <FilesMatch "(?<!\.(?:pdf|svg))$">
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</FilesMatch>
--
GitLab