gcp-cherry-pick-bot[bot] 780a59c908 internal: add CSP header to files in /media (cherry-pick #12092) (#12108) ...

internal: add CSP header to files in `/media` (#12092)

add CSP header to files in `/media`

This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with `can_save_media`
capability.

This can be exploited if:
- the uploaded file is served from the same origin as authentik, and
- the user opens the uploaded file directly in their browser

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>

2024-11-21 09:58:42 +01:00

..

common

web/admin: fix error adding users to groups (#5016)

2023-03-20 18:15:36 +01:00

config

root: make redis settings more consistent (#9335)

2024-04-18 16:49:41 +02:00

constants

release: 2024.10.2

2024-11-14 17:05:40 +01:00

crypto

core: FIPS (#9683)

2024-05-23 17:34:52 +00:00

debug

internal: fix linting error

2023-01-09 17:17:27 +01:00

gounicorn

root: move database calls from ready() to dedicated startup signal (#9081)

2024-04-02 14:19:32 +02:00

outpost

root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094) (#12097)

2024-11-20 21:49:53 +01:00

utils

root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094) (#12097)

2024-11-20 21:49:53 +01:00

web

internal: add CSP header to files in /media (cherry-pick #12092) (#12108)

2024-11-21 09:58:42 +01:00