@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Don't emit Content-Security-Policy when returning a response during preflight setup checks
Summary:
Ref T4340. See <https://discourse.phabricator-community.org/t/core-exception-during-installation/1193/8>.
If we return a response very early during setup, we may not be able to read from the environment yet. Just decline to build a "Content-Security-Policy" header in these cases.
Test Plan:
- Faked a preflight error (e.g., safe_mode enabled), restarted apache.
- Before patch: environment error while generating CSP.
- After patch: no error.
- Loaded a normal page, observed an normal CSP header.
Maniphest Tasks: T4340
Differential Revision: https://secure.phabricator.com/D19172
+13
-2
+13
-2
src/aphront/response/AphrontResponse.php
+13
-2
src/aphront/response/AphrontResponse.php
···
103
103
return null;
104
104
}
105
105
106
-
$csp = array();
106
+
// NOTE: We may return a response during preflight checks (for example,
107
+
// if a user has a bad version of PHP).
108
+
109
+
// In this case, setup isn't complete yet and we can't access environmental
110
+
// configuration. If we aren't able to read the environment, just decline
111
+
// to emit a Content-Security-Policy header.
112
+
113
+
try {
114
+
$cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
115
+
} catch (Exception $ex) {
116
+
return null;
117
+
}
107
118
108
-
$cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
119
+
$csp = array();
109
120
if ($cdn) {
110
121
$default = $this->newContentSecurityPolicySource($cdn);
111
122
} else {