Merge branch '2.4' into develop

2021-03-03 17:24:20 +01:00 · 2021-03-03 17:24:20 +01:00 · ba200f2458
parent e7f6c10256 916c2c989d
commit ba200f2458
4 changed files with 14 additions and 6 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 4a2367ec965d70d84a0091ea3a6978916a7df25a
+Subproject commit 39a7b8242f0d3022276d417ec334bb46b890ff23
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -26,7 +26,7 @@ class AppController extends Controller
    public $helpers = array('OrgImg', 'FontAwesome', 'UserName', 'DataPathCollector');

    private $__queryVersion = '126';
-    public $pyMispVersion = '2.4.138';
+    public $pyMispVersion = '2.4.140';
    public $phpmin = '7.2';
    public $phprec = '7.4';
    public $phptoonew = '8.0';
@ -717,7 +717,7 @@ class AppController extends Controller
            return;
        }
        if (is_array($custom)) {
-            $default = $default + $custom;
+            $default = $custom + $default;
        }
        $header = [];
        foreach ($default as $key => $value) {
@ -729,7 +729,8 @@ class AppController extends Controller
                }
            }
        }
-        $this->response->header('Content-Security-Policy', implode('; ', $header));
+        $header = Configure::read('Security.csp_enforce') ? 'Content-Security-Policy' : 'Content-Security-Policy-Report-Only';
+        $this->response->header($header, implode('; ', $header));
    }

    private function __rateLimitCheck()
--- a/app/Lib/Tools/SecurityAudit.php
+++ b/app/Lib/Tools/SecurityAudit.php
@ -61,7 +61,7 @@ class SecurityAudit
        if (empty(Configure::read('Security.disable_browser_cache'))) {
            $output['Browser'][] = [
                'warning',
-                __('Browser cache is enabled. Attacker can obtain sensitive data from user cache. You can disable cache by setting `Security.disable_browser_cache` to `false`.'),
+                __('Browser cache is enabled. Attacker can obtain sensitive data from user cache. You can disable cache by setting `Security.disable_browser_cache` to `true`.'),
            ];
        }
        if (empty(Configure::read('Security.check_sec_fetch_site_header'))) {
@ -70,6 +70,13 @@ class SecurityAudit
                __('MISP server is not checking `Sec-Fetch` HTTP headers. This is protection against CSRF for moder browsers. You can enable this checks by setting `Security.check_sec_fetch_site_header` to `true`.'),
            ];
        }
+        if (empty(Configure::read('Security.csp_enforce'))) {
+            $output['Browser'][] = [
+                'warning',
+                __('Content security policies (CSP) are not enforced. Consider enabling them by setting `Security.csp_enforce` to `true`.'),
+                'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
+            ];
+        }
        if (Configure::read('Security.disable_form_security')) {
            $output['Browser'][] = ['error', __('Disabling form security is never a good idea.')];
        }
--- a/app/files/misp-objects
+++ b/app/files/misp-objects
@ -1 +1 @@
-Subproject commit e764ed6983bac3a3171fe1a649176224d1abbf0a
+Subproject commit e1f01f674fbaeb5f5af13b15f9b87ede9bcc1291