Point808/LobbySIO
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

csp hacks

Browse Source
This commit is contained in:
Josh North
2021-08-11 16:47:18 -04:00
parent ca6619afcf
commit 0b45ed9e02
13 changed files with 70599 additions and 42849 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
inc/footer.inc.php
View File

@@ -31,14 +31,14 @@
<?php } ?>
</div>
</div>
<script>window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
<script>
<script nonce="<?=$_SESSION['nonce']?>">window.jQuery || document.write('<script src="js/jquery.min.js"><\/script>')</script>
<script nonce="<?=$_SESSION['nonce']?>">
var popoverTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="popover"]'))
var popoverList = popoverTriggerList.map(function (popoverTriggerEl) {
return new bootstrap.Popover(popoverTriggerEl)
})
</script>
<script src="js/bootstrap.min.js"></script>
<script src="js/bootstrap.min.js" nonce="<?=$_SESSION['nonce']?>"></script>
<!-- END FOOTER CONTENT -->
</body>
</html>

62
inc/header.inc.php
View File

@@ -80,9 +80,13 @@
$timeplus = new DateTime($StaticFunctions->getUTC(), new DateTimeZone('UTC')); // DUMB WAY TO CALCULATE SOME TIMES
$timeplus->setTimezone(new DateTimeZone("$timezone"));
$timenow = $timeplus->format('Y-m-d H:i:s');
$_SESSION['nonce']= base64_encode(random_bytes(32));
$noncestring="nonce-".$_SESSION['nonce'];
$urlsrc=basename($_SERVER['PHP_SELF']);
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
//header("Content-Security-Policy: default-src '*'; script-src '*'");
//header("Content-Security-Policy: default-src '$urlsrc'; script-src '$urlsrc'");
header("Content-Security-Policy: default-src '$noncestring' 'self'; script-src '$noncestring' 'self' ; script-src-elem '$noncestring' 'self'; script-src-attr '$noncestring' 'self'; style-src '$noncestring' 'self'; style-src-elem '$noncestring' 'self'; style-src-attr '$noncestring' 'self'; img-src '$noncestring' 'self' data:; connect-src '$noncestring' 'self'; frame-src '$noncestring' 'self'; font-src '$noncestring' 'self'; media-src '$noncestring' 'self'; object-src '$noncestring' 'self'; manifest-src '$noncestring' 'self'; worker-src '$noncestring' 'self'; prefetch-src '$noncestring' 'self'; form-action '$noncestring' 'self'; frame-ancestors '$noncestring' 'self'");
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
@@ -98,33 +102,33 @@
<link rel="manifest" href="manifest.webmanifest">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="<?php echo $transLang['APP_NAME']; ?>">
<link rel="apple-touch-icon" href="assets/touch-logo.png?v3">
<link rel="apple-touch-icon" href="assets/touch-logo.png?v3" nonce="<?=$_SESSION['nonce']?>">
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<?php if (basename($_SERVER['PHP_SELF']) == 'signin_display.php'): ?> <meta http-equiv="refresh" content="5; url=index.php" /><?php endif; ?>
<link rel="stylesheet" href="css/bootstrap.min.css?v3"/>
<link rel="stylesheet" href="css/sticky-footer-navbar.css?v3">
<link rel="stylesheet" href="css/all.min.css?v3"/>
<link rel="stylesheet" href="css/fontawesome.min.css?v3"/>
<link rel="stylesheet" href="css/brands.min.css?v3"/>
<link rel="stylesheet" href="css/regular.min.css?v3"/>
<link rel="stylesheet" href="css/animate.min.css?v3"/>
<link rel="stylesheet" href="css/datatables.min.css?v3" />
<link rel="stylesheet" href="css/styles.css?v3"/>
<link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3"/>
<link rel="stylesheet" href="css/bootstrap.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/sticky-footer-navbar.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/all.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/fontawesome.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/brands.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/regular.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/animate.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/datatables.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/styles.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<link rel="stylesheet" href="css/tempusdominus-bootstrap-4.min.css?v3" nonce="<?=$_SESSION['nonce']?>"/>
<meta name="description" content="<?php echo $transLang['META_DESC']; ?>" />
<script src="js/jquery.min.js?v3"></script>
<script src="js/bootstrap.bundle.min.js?v3"></script>
<script src="js/datatables.min.js?v3"></script>
<script src="js/buttons.flash.min.js?v3"></script>
<script src="js/buttons.html5.min.js?v3"></script>
<script src="js/buttons.print.min.js?v3"></script>
<script src="js/dataTables.buttons.min.js?v3"></script>
<script src="js/jszip.min.js?v3"></script>
<script src="js/pdfmake.min.js?v45"></script>
<script src="js/vfs_fonts.js?v4"></script>
<script src="js/moment.min.js?v3"></script>
<script src="js/tempusdominus-bootstrap-4.min.js?v3"></script>
<script src="js/jSignature.min.js?v3"></script>
<script src="js/jquery.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/bootstrap.bundle.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/datatables.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/buttons.flash.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/buttons.html5.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/buttons.print.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/dataTables.buttons.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/jszip.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/pdfmake.min.js?v46" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/vfs_fonts.js?v4" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/moment.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/tempusdominus-bootstrap-4.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<script src="js/jSignature.min.js?v3" nonce="<?=$_SESSION['nonce']?>"></script>
<title><?php echo $StaticFunctions->getTitle($app_current_pagename, $app_disp_lang); ?></title>
</head>
<!-- END HEAD -->
@@ -133,7 +137,7 @@
<!-- START NAVBAR -->
<nav class="navbar navbar-expand-lg navbar-light bg-light mb-2">
<div class="container-fluid">
<a class="navbar-brand" href="index.php"><img src="<?php echo $StaticFunctions->getLogo(); ?>" width="120" height="60" alt=""></a>
<a class="navbar-brand" href="index.php"><img src="<?php echo $StaticFunctions->getLogo(); ?>" width="120" height="60" alt="" nonce="<?=$_SESSION['nonce']?>"></a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbar"><span class="navbar-toggler-icon"></span></button>
<div class="collapse navbar-collapse" id="navbar">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
@@ -155,7 +159,7 @@
<li class="nav-item"><a class="nav-link<?php if ($app_current_pagename==$transLang['SIGNOUT']): echo " active"; endif; ?>" href="signout.php"><i class="fas fa-sign-out-alt"></i> <?php echo $transLang['SIGNOUT']; ?></a></li>
</ul>
<ul class="navbar-nav mr-sm-2">
<li class="nav-item"><a class="nav-link btn btn-sm btn-outline-success<?php if ($app_current_pagename==$transLang['LOGIN']): echo " active"; endif; ?>" href="login.php"><i class="fas fa-cogs"></i> </a></li>
<li class="nav-item"><a class="nav-link btn btn-sm btn-outline-success<?php if ($app_current_pagename==$transLang['LOGIN']): echo " active"; endif; ?>" href="changeaccess.php"><i class="fas fa-cogs"></i> </a></li>
<!-- END NAVBAR MENU FOR ALL LOGGED OUT - BOTTOM END -->
<?php endif; ?>
<?php if ($session_status == true): ?>
@@ -221,13 +225,13 @@
</div>
</div>
</div>
<script>
<script nonce="<?=$_SESSION['nonce']?>">
$(".changelang").change(function(e){
e.preventDefault();
$(this).closest("form").submit();
});
</script>
<script>
<script nonce="<?=$_SESSION['nonce']?>">
$(document).ready(function () {
//POP MODAL IF NO COOKIE
if ( document.cookie.indexOf("app_site=") < 0) {