Alert

X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Fclub%2Fwpia%2Fgigi%2FGigi.java;h=33db52adb3df5d843adcee8cd2cf884b868c5b88;hb=5ff16bf1cd44c001f134e3eabfb30ecd6e78c08c;hp=f8f931a63f9abd45a1ebfcaf702c673827de60fb;hpb=bccd4cc0dba0f89aa045b113bac46eb8cc1dab4e;p=gigi.git diff --git a/src/club/wpia/gigi/Gigi.java b/src/club/wpia/gigi/Gigi.java index f8f931a6..33db52ad 100644 --- a/src/club/wpia/gigi/Gigi.java +++ b/src/club/wpia/gigi/Gigi.java @@ -77,10 +77,13 @@ import club.wpia.gigi.util.AuthorizationContext; import club.wpia.gigi.util.DomainAssessment; import club.wpia.gigi.util.PasswordHash; import club.wpia.gigi.util.ServerConstants; +import club.wpia.gigi.util.ServerConstants.Host; import club.wpia.gigi.util.TimeConditions; public final class Gigi extends HttpServlet { + public static final String LINK_HOST = "linkHost"; + private class MenuBuilder { private LinkedList categories = new LinkedList(); @@ -120,14 +123,14 @@ public final class Gigi extends HttpServlet { putPage("/denied", new AccessDenied(), null); putPage("/error", new PageNotFound(), null); putPage("/login", new LoginPage(), null); - getMenu("SomeCA.org").addItem(new SimpleMenuItem("https://" + ServerConstants.getWwwHostNamePort() + "/login", "Password Login") { + getMenu("SomeCA.org").addItem(new SimpleMenuItem("https://" + ServerConstants.getHostNamePort(Host.WWW) + "/login", "Password Login") { @Override public boolean isPermitted(AuthorizationContext ac) { return ac == null; } }); - getMenu("SomeCA.org").addItem(new SimpleMenuItem("https://" + ServerConstants.getSecureHostNamePortSecure() + "/login", "Certificate Login") { + getMenu("SomeCA.org").addItem(new SimpleMenuItem("https://" + ServerConstants.getHostNamePortSecure(Host.SECURE) + "/login", "Certificate Login") { @Override public boolean isPermitted(AuthorizationContext ac) { @@ -315,9 +318,9 @@ public final class Gigi extends HttpServlet { } - private static String staticTemplateVar = "//" + ServerConstants.getStaticHostNamePort(); + private static String staticTemplateVar = "//" + ServerConstants.getHostNamePort(Host.STATIC); - private static String staticTemplateVarSecure = "//" + ServerConstants.getStaticHostNamePortSecure(); + private static String staticTemplateVarSecure = "//" + ServerConstants.getHostNamePortSecure(Host.STATIC); @Override protected void service(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException { @@ -341,9 +344,9 @@ public final class Gigi extends HttpServlet { // it always String originHeader = req.getHeader("Origin"); if (originHeader != null // - && !(originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getWwwHostNamePortSecure()) + "(/.*|)") || // - originHeader.matches("^" + Pattern.quote("http://" + ServerConstants.getWwwHostNamePort()) + "(/.*|)") || // - originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getSecureHostNamePortSecure()) + "(/.*|)"))) { + && !(originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getHostNamePortSecure(Host.WWW)) + "(/.*|)") || // + originHeader.matches("^" + Pattern.quote("http://" + ServerConstants.getHostNamePort(Host.WWW)) + "(/.*|)") || // + originHeader.matches("^" + Pattern.quote("https://" + ServerConstants.getHostNamePortSecure(Host.SECURE)) + "(/.*|)"))) { resp.setContentType("text/html; charset=utf-8"); resp.getWriter().println("AlertNo cross domain access allowed.
If you don't know why you're seeing this you may have been fished! Please change your password immediately!"); return; @@ -370,7 +373,7 @@ public final class Gigi extends HttpServlet { if (p != null) { if ( !isSecure && (p.needsLogin() || p instanceof LoginPage || p instanceof RegisterPage)) { - resp.sendRedirect("https://" + ServerConstants.getWwwHostNamePortSecure() + req.getPathInfo()); + resp.sendRedirect("https://" + ServerConstants.getHostNamePortSecure(Host.WWW) + req.getPathInfo()); return; } AuthorizationContext currentAuthContext = LoginPage.getAuthorizationContext(req); @@ -424,6 +427,11 @@ public final class Gigi extends HttpServlet { vars.put("static", isSecure ? staticTemplateVarSecure : staticTemplateVar); vars.put("year", Calendar.getInstance().get(Calendar.YEAR)); vars.put("content", content); + if (isSecure) { + req.setAttribute(LINK_HOST, ServerConstants.getHostNamePortSecure(Host.LINK)); + } else { + req.setAttribute(LINK_HOST, ServerConstants.getHostNamePort(Host.LINK)); + } if (currentAuthContext != null) { // TODO maybe move this information into the AuthContext object vars.put("loginMethod", req.getSession().getAttribute(LOGIN_METHOD)); @@ -439,7 +447,7 @@ public final class Gigi extends HttpServlet { } public static void addXSSHeaders(HttpServletResponse hsr, boolean doHttps) { - hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getWwwHostNamePortSecure() + " https://" + ServerConstants.getSecureHostNamePortSecure()); + hsr.addHeader("Access-Control-Allow-Origin", "https://" + ServerConstants.getHostNamePortSecure(Host.WWW) + " https://" + ServerConstants.getHostNamePortSecure(Host.SECURE)); hsr.addHeader("Access-Control-Max-Age", "60"); if (doHttps) { hsr.addHeader("Content-Security-Policy", httpsCSP); @@ -457,12 +465,12 @@ public final class Gigi extends HttpServlet { private static String genHttpsCSP() { StringBuffer csp = new StringBuffer(); csp.append("default-src 'none'"); - csp.append(";font-src https://" + ServerConstants.getStaticHostNamePortSecure()); - csp.append(";img-src https://" + ServerConstants.getStaticHostNamePortSecure()); + csp.append(";font-src https://" + ServerConstants.getHostNamePortSecure(Host.STATIC)); + csp.append(";img-src https://" + ServerConstants.getHostNamePortSecure(Host.STATIC)); csp.append(";media-src 'none'; object-src 'none'"); - csp.append(";script-src https://" + ServerConstants.getStaticHostNamePortSecure()); - csp.append(";style-src https://" + ServerConstants.getStaticHostNamePortSecure()); - csp.append(";form-action https://" + ServerConstants.getSecureHostNamePortSecure() + " https://" + ServerConstants.getWwwHostNamePortSecure()); + csp.append(";script-src https://" + ServerConstants.getHostNamePortSecure(Host.STATIC)); + csp.append(";style-src https://" + ServerConstants.getHostNamePortSecure(Host.STATIC)); + csp.append(";form-action https://" + ServerConstants.getHostNamePortSecure(Host.SECURE) + " https://" + ServerConstants.getHostNamePortSecure(Host.WWW)); // csp.append(";report-url https://api.wpia.club/security/csp/report"); return csp.toString(); } @@ -470,12 +478,12 @@ public final class Gigi extends HttpServlet { private static String genHttpCSP() { StringBuffer csp = new StringBuffer(); csp.append("default-src 'none'"); - csp.append(";font-src http://" + ServerConstants.getStaticHostNamePort()); - csp.append(";img-src http://" + ServerConstants.getStaticHostNamePort()); + csp.append(";font-src http://" + ServerConstants.getHostNamePort(Host.STATIC)); + csp.append(";img-src http://" + ServerConstants.getHostNamePort(Host.STATIC)); csp.append(";media-src 'none'; object-src 'none'"); - csp.append(";script-src http://" + ServerConstants.getStaticHostNamePort()); - csp.append(";style-src http://" + ServerConstants.getStaticHostNamePort()); - csp.append(";form-action https://" + ServerConstants.getSecureHostNamePortSecure() + " https://" + ServerConstants.getWwwHostNamePort()); + csp.append(";script-src http://" + ServerConstants.getHostNamePort(Host.STATIC)); + csp.append(";style-src http://" + ServerConstants.getHostNamePort(Host.STATIC)); + csp.append(";form-action http://" + ServerConstants.getHostNamePortSecure(Host.SECURE) + " http://" + ServerConstants.getHostNamePort(Host.WWW)); // csp.append(";report-url http://api.wpia.club/security/csp/report"); return csp.toString(); }