mirror of https://github.com/MISP/MISP
Merge branch '2.4' into develop
commit
ba200f2458
2
PyMISP
2
PyMISP
|
@ -1 +1 @@
|
|||
Subproject commit 4a2367ec965d70d84a0091ea3a6978916a7df25a
|
||||
Subproject commit 39a7b8242f0d3022276d417ec334bb46b890ff23
|
|
@ -26,7 +26,7 @@ class AppController extends Controller
|
|||
public $helpers = array('OrgImg', 'FontAwesome', 'UserName', 'DataPathCollector');
|
||||
|
||||
private $__queryVersion = '126';
|
||||
public $pyMispVersion = '2.4.138';
|
||||
public $pyMispVersion = '2.4.140';
|
||||
public $phpmin = '7.2';
|
||||
public $phprec = '7.4';
|
||||
public $phptoonew = '8.0';
|
||||
|
@ -717,7 +717,7 @@ class AppController extends Controller
|
|||
return;
|
||||
}
|
||||
if (is_array($custom)) {
|
||||
$default = $default + $custom;
|
||||
$default = $custom + $default;
|
||||
}
|
||||
$header = [];
|
||||
foreach ($default as $key => $value) {
|
||||
|
@ -729,7 +729,8 @@ class AppController extends Controller
|
|||
}
|
||||
}
|
||||
}
|
||||
$this->response->header('Content-Security-Policy', implode('; ', $header));
|
||||
$header = Configure::read('Security.csp_enforce') ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only';
|
||||
$this->response->header($header, implode('; ', $header));
|
||||
}
|
||||
|
||||
private function __rateLimitCheck()
|
||||
|
|
|
@ -61,7 +61,7 @@ class SecurityAudit
|
|||
if (empty(Configure::read('Security.disable_browser_cache'))) {
|
||||
$output['Browser'][] = [
|
||||
'warning',
|
||||
__('Browser cache is enabled. Attacker can obtain sensitive data from user cache. You can disable cache by setting `Security.disable_browser_cache` to `false`.'),
|
||||
__('Browser cache is enabled. Attacker can obtain sensitive data from user cache. You can disable cache by setting `Security.disable_browser_cache` to `true`.'),
|
||||
];
|
||||
}
|
||||
if (empty(Configure::read('Security.check_sec_fetch_site_header'))) {
|
||||
|
@ -70,6 +70,13 @@ class SecurityAudit
|
|||
__('MISP server is not checking `Sec-Fetch` HTTP headers. This is protection against CSRF for moder browsers. You can enable this checks by setting `Security.check_sec_fetch_site_header` to `true`.'),
|
||||
];
|
||||
}
|
||||
if (empty(Configure::read('Security.csp_enforce'))) {
|
||||
$output['Browser'][] = [
|
||||
'warning',
|
||||
__('Content security policies (CSP) are not enforced. Consider enabling them by setting `Security.csp_enforce` to `true`.'),
|
||||
'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
|
||||
];
|
||||
}
|
||||
if (Configure::read('Security.disable_form_security')) {
|
||||
$output['Browser'][] = ['error', __('Disabling form security is never a good idea.')];
|
||||
}
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit e764ed6983bac3a3171fe1a649176224d1abbf0a
|
||||
Subproject commit e1f01f674fbaeb5f5af13b15f9b87ede9bcc1291
|
Loading…
Reference in New Issue