habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4189981995fe497ce95aa231fdd0ca07a34751e7
authentik/internal/web
History
Simonyi Gergő 4189981995 internal: add CSP header to files in /media (#12092) 
add CSP header to files in `/media`

This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with `can_save_media`
capability.

This can be exploited if:
- the uploaded file is served from the same origin as authentik, and
- the user opens the uploaded file directly in their browser

Co-authored-by: Jens L. <jens@goauthentik.io>
2024-11-21 09:16:07 +01:00
..
brand_tls
outposts: implement general paginator for list API requests (#10619)
2024-07-29 22:14:18 +02:00
metrics.go
root: bump python deps (django 5) (#7862)
2023-12-18 22:07:59 +01:00
proxy.go
root: move database calls from ready() to dedicated startup signal (#9081)
2024-04-02 14:19:32 +02:00
static.go
internal: add CSP header to files in /media (#12092)
2024-11-21 09:16:07 +01:00
web_tls.go
root: check remote IP for proxy protocol same as HTTP/etc (#12094)
2024-11-20 21:33:35 +01:00
web.go
root: check remote IP for proxy protocol same as HTTP/etc (#12094)
2024-11-20 21:33:35 +01:00