View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0021263 | mantisbt | security | public | 2016-07-11 19:10 | 2016-08-29 18:25 |
Reporter | j_schultz | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0 | ||||
Target Version | 1.3.1 | Fixed in Version | 1.3.1 | ||
Summary | 0021263: CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin | ||||
Description | When sending the same HTTP variable to PHP twice via the header() function, the old value is replaced. The default Gravatar plugin sets its own "Content-Security-Policy" HTTP header, which overrides the more strict defaults normally used by Mantis. | ||||
Steps To Reproduce | Enable Gravatars and check the HTTP headers. | ||||
Tags | No tags attached. | ||||
@atrol I'm not sure I understand what the relationship with 0021611 is. |
|
0021611 can't be reproduced (at least with FF) if gravatar plugin is not enabled. Enabling the plugin overrides the CSP headers and we send just Without gravatar plugin enabled we send |
|
Thanks for the feedback Roland. @vboctor this needs to be fixed ASAP, if not permanently as per j_schultz's suggestion, then at least implement a workaround to make the Gravatar plugin not break the default MantisBT CSP. Can you please look into it ? |
|
Related discussion |
|
I sent a CVE request to the OSS-security mailing list [1]; will update this with the ID once it's been assigned. |
|
CVE assignment http://www.openwall.com/lists/oss-security/2016/08/29/2 |
|
MantisBT: master-1.3.x a905dd01 2016-08-16 22:25 Committer: dregad Details Diff |
Add API for Content-Security-Policy Add APIs to allow plugins to change the Content-Security-Policy header. Fixes 0021263 |
Affected Issues 0021263 |
|
mod - core/http_api.php | Diff File | ||
MantisBT: master-1.3.x f24a3e9c 2016-08-16 22:44 Committer: dregad Details Diff |
Use Content-Security-Policy API in Gravatar Fixes 0021263 |
Affected Issues 0021263 |
|
mod - plugins/Gravatar/Gravatar.php | Diff File | ||
MantisBT: master-1.3.x 9f359863 2016-08-16 22:50 Committer: dregad Details Diff |
Protect against calling http_csp_add() too late If the CSP header is sent and then http_csp_add() is called, trigger error. Fixes 0021263 |
Affected Issues 0021263 |
|
mod - core/http_api.php | Diff File | ||
MantisBT: master-1.3.x c13b3253 2016-08-25 19:19 Committer: dregad Details Diff |
Add EVENT_CORE_HEADERS event Called before core emits headers enabling plugins to emit their own headers or call APIs that shape the value of headers emitted by core like Content-Security-Policy. Fixes 0021263 |
Affected Issues 0021263 |
|
mod - core.php | Diff File | ||
mod - core/events_inc.php | Diff File | ||
mod - docbook/Developers_Guide/en-US/Events_Reference.xml | Diff File | ||
mod - plugins/Gravatar/Gravatar.php | Diff File | ||
MantisBT: master-1.3.x b3511d2f 2016-08-27 13:01 Details Diff |
Fix weakened CSP by Gravatar plugin Merge vboctor's branch 'issue_21263_csp_headers_13x' Fixes 0021263 |
Affected Issues 0021263 |
|
mod - core.php | Diff File | ||
mod - core/events_inc.php | Diff File | ||
mod - core/http_api.php | Diff File | ||
mod - docbook/Developers_Guide/en-US/Events_Reference.xml | Diff File | ||
mod - plugins/Gravatar/Gravatar.php | Diff File |