mirrors
/
authentik
mirror of https://github.com/goauthentik/authentik.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
authentik/internal/web
History
Simonyi Gergő 4189981995
internal: add CSP header to files in `/media` (#12092) 
add CSP header to files in `/media`

This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with `can_save_media`
capability.

This can be exploited if:
- the uploaded file is served from the same origin as authentik, and
- the user opens the uploaded file directly in their browser

Co-authored-by: Jens L. <jens@goauthentik.io>
 		2024-11-21 09:16:07 +01:00
..
brand_tls outposts: implement general paginator for list API requests (#10619) 2024-07-29 22:14:18 +02:00
metrics.go root: bump python deps (django 5) (#7862) 2023-12-18 22:07:59 +01:00
proxy.go root: move database calls from ready() to dedicated startup signal (#9081) 2024-04-02 14:19:32 +02:00
static.go internal: add CSP header to files in `/media` (#12092) 2024-11-21 09:16:07 +01:00
web.go root: check remote IP for proxy protocol same as HTTP/etc (#12094) 2024-11-20 21:33:35 +01:00
web_tls.go root: check remote IP for proxy protocol same as HTTP/etc (#12094) 2024-11-20 21:33:35 +01:00