clickjacking protection: set X-Frame-Options SAMEORIGIN, RT#39607

[freeside.git] / FS / FS / Mason / Request.pm

diff --git a/FS/FS/Mason/Request.pm b/FS/FS/Mason/Request.pm
index 0d21df4..537ba2d 100644 (file)
--- a/FS/FS/Mason/Request.pm
+++ b/FS/FS/Mason/Request.pm
@@ -4,6 +4,8 @@ use strict;
 use warnings;
 use vars qw( $FSURL $QUERY_STRING );
 use base 'HTML::Mason::Request';
+use FS::Trace;
+use FS::access_user_log;
 
 $FSURL = 'http://Set/FS_Mason_Request_FSURL/in_standalone_mode/';
 $QUERY_STRING = '';
@@ -11,21 +13,27 @@ $QUERY_STRING = '';
 sub new {
     my $class = shift;
 
+    FS::Trace->log('creating new FS::Mason::Request object');
+
     my $superclass = $HTML::Mason::ApacheHandler::VERSION ?
                      'HTML::Mason::Request::ApacheHandler' :
                      $HTML::Mason::CGIHandler::VERSION ?
                      'HTML::Mason::Request::CGI' :
                      'HTML::Mason::Request';
 
+    FS::Trace->log('  altering superclass');
     $class->alter_superclass( $superclass );
 
+    FS::Trace->log('  setting valid params');
     #huh... shouldn't alter_superclass take care of this for us?
     __PACKAGE__->valid_params( %{ $superclass->valid_params() } );
 
+    FS::Trace->log('  freeside_setup');
     my %opt = @_;
     my $mode = $superclass =~ /Apache/i ? 'apache' : 'standalone';
     $class->freeside_setup($opt{'comp'}, $mode);
 
+    FS::Trace->log('  SUPER::new');
     $class->SUPER::new(@_);
 
 }
@@ -38,6 +46,8 @@ my $protect_fds;
 sub freeside_setup {
     my( $class, $filename, $mode ) = @_;
 
+    FS::Trace->log('    protecting fds');
+
     #from rt/bin/webmux.pl(.in)
     if ( !$protect_fds && $ENV{'MOD_PERL'} && exists $ENV{'MOD_PERL_API_VERSION'}
         && $ENV{'MOD_PERL_API_VERSION'} >= 2
@@ -55,8 +65,14 @@ sub freeside_setup {
             if fileno(STDOUT) != 1;
     }
 
+    FS::Trace->log('    adding headers');
+    #frame-ancestors not supported by all the major browsers yet
+    $HTML::Mason::Commands::r->header_out( 'X-Frame-Options', 'SAMEORIGIN' );
+
     if ( $filename =~ qr(/REST/\d+\.\d+/NoAuth/) ) {
 
+      FS::Trace->log('    handling RT REST/NoAuth file');
+
       package HTML::Mason::Commands; #?
       use FS::UID qw( adminsuidsetup );
 
@@ -65,10 +81,13 @@ sub freeside_setup {
       ##old installs w/fs_selfs or selfserv??
       #&adminsuidsetup('fs_selfservice');
 
+      FS::Trace->log('    adminsuidsetup fs_queue');
       &adminsuidsetup('fs_queue');
 
     } else {
 
+      FS::Trace->log('    handling regular file');
+
       package HTML::Mason::Commands;
       use vars qw( $cgi $p $fsurl ); # $lh ); #not using /mt
       use Encode;
@@ -77,6 +96,7 @@ sub freeside_setup {
 
       if ( $mode eq 'apache' ) {
         $cgi = new CGI;
+        FS::Trace->log('    cgisuidsetup');
         &cgisuidsetup($cgi);
         #&cgisuidsetup($r);
         $fsurl = rooturl();
@@ -91,8 +111,13 @@ sub freeside_setup {
         die "unknown mode $mode";
       }
 
+    FS::Trace->log('    UTF-8-decoding form data');
     #
     foreach my $param ( $cgi->param ) {
+        
+      #we can't switch to multi_param until we're done supporting deb 7
+      local($CGI::LIST_CONTEXT_WARN) = 0;
+
       my @values = $cgi->param($param);
       next if $cgi->uploadInfo($values[0]);
       #warn $param;
@@ -102,6 +127,10 @@ sub freeside_setup {
     
   }
 
+  FS::access_user_log->insert_new_path( $filename );
+
+  FS::Trace->log('    done');
+
 }
 
 sub callback {