Ver Fonte

Add Frame Security Options header

Jeremy D há 11 anos atrás
pai
commit
1e3d6c90de

+ 2 - 0
Sources/ManageSettings.php

@@ -605,6 +605,8 @@ function ModifyGeneralSecuritySettings($return_config = false)
 		'',
 			// Reporting of personal messages?
 			array('check', 'enableReportPM'),
+		'',
+			array('select', 'frame_security', array('SAMEORIGIN' => $txt['setting_frame_security_SAMEORIGIN'], 'DENY' => $txt['setting_frame_security_DENY'], 'DISABLE' => $txt['setting_frame_security_DISABLE'])),
 	);
 
 	call_integration_hook('integrate_general_security_settings', array(&$config_vars));

+ 28 - 2
Sources/Security.php

@@ -1284,7 +1284,7 @@ RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml';
 	{
 		$fh = @fopen($path . '/index.php', 'w');
 		if ($fh) {
-			fwrite($fh, '<?php
+			fwrite($fh, '<' . '?php
 
 /**
  * This file is here solely to protect your ' . $directoryname . ' directory.
@@ -1301,7 +1301,7 @@ if (file_exists(dirname(dirname(__FILE__)) . \'/Settings.php\'))
 else
 	exit;
 
-?>');
+?'. '>');
 			fclose($fh);
 		}
 		$errors[] = 'index-php_cannot_create_file';
@@ -1352,4 +1352,30 @@ function constructBanQueryIP($fullip)
 	return $ban_query;
 }
 
+/**
+* This sets the X-Frame-Options header.
+*
+* @param string $option the frame option, defaults to deny.
+* @return void.
+* @since 3.0
+* @version 3.0
+*/
+function frameOptionsHeader($override = null)
+{
+	global $modSettings;
+
+	$option = 'SAMEORIGIN';
+	if (is_null($override) && !empty($modSettings['frame_security']))
+		$option = $modSettings['frame_security'];
+	elseif (in_array($override, array('SAMEORIGIN', 'DENY', 'SAMEORIGIN')))
+		$option = $override;
+
+	// Don't bother setting the header if we have disabled it.
+	if ($option == 'DISABLE')
+		return;
+
+	// Finally set it.
+	header('X-Frame-Options: ' . $option);
+}
+
 ?>

+ 3 - 0
Sources/Subs.php

@@ -2592,6 +2592,9 @@ function obExit($header = null, $do_footer = null, $from_index = false, $from_fa
 	if ($do_footer === null)
 		$do_footer = $do_header;
 
+	// We should set our security headers now.
+	frameOptionsHeader();
+
 	// Has the template/header been done yet?
 	if ($do_header)
 	{

+ 6 - 1
Themes/default/languages/ManageSettings.english.php

@@ -384,4 +384,9 @@ $txt['languages_download_complete'] = 'Installation Complete';
 $txt['languages_download_complete_desc'] = 'Language pack installed successfully. Please click <a href="%1$s">here</a> to return to the languages page';
 $txt['languages_delete_confirm'] = 'Are you sure you want to delete this language?';
 
-?>
+$txt['setting_frame_security'] = 'Frame Security Options';
+$txt['setting_frame_security_SAMEORIGIN'] = 'Allow Same Origin';
+$txt['setting_frame_security_DENY'] = 'Deny all frames';
+$txt['setting_frame_security_DISABLE'] = 'Disabled';
+
+?>