From 6c8d33d2f2e462a7215b0d21eee65e20832b620a Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Mon, 13 Nov 2017 16:16:49 -0700
Subject: [PATCH] Refactor and enforce Content-Security-Policy

---
 app.php              |  4 ++--
 mobile/index.php     |  1 +
 pages/categories.php |  2 +-
 pages/editcat.php    |  2 +-
 pages/edititem.php   |  4 ++--
 pages/editloc.php    |  2 +-
 pages/home.php       |  4 ++--
 pages/items.php      |  6 +++---
 pages/locations.php  |  2 +-
 required.php         | 47 +++++++++++++++++++++++++++++++++++++++++++-
 static/css/app.css   | 22 +++++++++++++++++++++
 11 files changed, 82 insertions(+), 14 deletions(-)

diff --git a/app.php b/app.php
index 4fa803a..dd5d6a2 100644
--- a/app.php
+++ b/app.php
@@ -71,7 +71,7 @@ if (!is_empty($_GET['page'])) {
                                 }
                                 ?>
                                 <a class="navbar-brand" href="app.php">
-                                    <img style="height: 35px; padding-bottom: 12px; padding-left: 5px;" src="<?php echo $src; ?>" />
+                                    <img src="<?php echo $src; ?>" />
                                 </a>
                                 <?php
                             }
@@ -121,7 +121,7 @@ if (!is_empty($_GET['page'])) {
             <?php
             if (MENU_BAR_STYLE == "fixed") {
                 ?>
-                <div style="height: 75px;"></div>
+                <div class="pad-75px"></div>
                 <?php
             }
             ?>
diff --git a/mobile/index.php b/mobile/index.php
index e953b7e..f9f593a 100644
--- a/mobile/index.php
+++ b/mobile/index.php
@@ -90,6 +90,7 @@ switch ($VARS['action']) {
                 if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
                     if (account_has_permission($VARS['username'], "INV_VIEW")) {
                         doLoginUser($VARS['username'], $VARS['password']);
+                        $_SESSION['mobile'] = true;
                         exit(json_encode(["status" => "OK"]));
                     } else {
                         exit(json_encode(["status" => "ERROR", "msg" => lang("no permission", false)]));
diff --git a/pages/categories.php b/pages/categories.php
index dbc205f..363233d 100644
--- a/pages/categories.php
+++ b/pages/categories.php
@@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
 ?>
-<div class="btn-group" style="margin-bottom: 10px;">
+<div class="btn-group mgn-btm-10px">
     <a href="app.php?page=editcat" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new category"); ?></a>
 </div>
 <table id="cattable" class="table table-bordered table-striped">
diff --git a/pages/editcat.php b/pages/editcat.php
index e9e276a..b08db62 100644
--- a/pages/editcat.php
+++ b/pages/editcat.php
@@ -59,7 +59,7 @@ if (!is_empty($VARS['id'])) {
             <?php
             if ($editing) {
                 ?>
-                <a href="action.php?action=deletecat&source=categories&catid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
+                <a href="action.php?action=deletecat&source=categories&catid=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs pull-right mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
                 <?php
             }
             ?>
diff --git a/pages/edititem.php b/pages/edititem.php
index a9427d7..1f51904 100644
--- a/pages/edititem.php
+++ b/pages/edititem.php
@@ -129,7 +129,7 @@ if (!is_empty($VARS['id'])) {
                     <div class="form-group">
                         <label for="code2"><i class="fa fa-qrcode"></i> <?php lang("code 2"); ?></label>
                         <div class="input-group">
-                            <input type="text" style="width: available;" class="form-control" id="code2" name="code2" placeholder="qwerty123" value="<?php echo htmlspecialchars($itemdata['code2']); ?>" />
+                            <input type="text" class="form-control" id="code2" name="code2" placeholder="qwerty123" value="<?php echo htmlspecialchars($itemdata['code2']); ?>" />
                             <span class="input-group-btn mobile-app-show">
                                 <button type="button" class="btn btn-default" onclick="scancode('#code2'); return false;"><i class="fa fa-fw fa-barcode"></i></button>
                             </span>
@@ -198,7 +198,7 @@ if (!is_empty($VARS['id'])) {
             <?php
             if ($editing && !$cloning) {
                 ?>
-                <a href="action.php?action=deleteitem&source=items&itemid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
+                <a href="action.php?action=deleteitem&source=items&itemid=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs pull-right mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
                 <?php
             }
             ?>
diff --git a/pages/editloc.php b/pages/editloc.php
index 0d4c3b8..9d2aa36 100644
--- a/pages/editloc.php
+++ b/pages/editloc.php
@@ -79,7 +79,7 @@ if (!is_empty($VARS['id'])) {
             <?php
             if ($editing) {
                 ?>
-                <a href="action.php?action=deleteloc&source=locations&locid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
+                <a href="action.php?action=deleteloc&source=locations&locid=<?php echo htmlspecialchars($VARS['id']); ?>" class="btn btn-danger btn-xs pull-right mgn-top-8px"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
                 <?php
             }
             ?>
diff --git a/pages/home.php b/pages/home.php
index 90d28bd..b891e97 100644
--- a/pages/home.php
+++ b/pages/home.php
@@ -11,7 +11,7 @@ redirectifnotloggedin();
                 <h1><i class="fa fa-fw fa-cubes"></i> <?php echo $database->count('items'); ?></h1>
             </div>
             <div class="panel-footer">
-                <a href="app.php?page=items" style="color: black;"><i class="fa fa-arrow-right"></i> <?php lang("view items"); ?></a>
+                <a href="app.php?page=items" class="black-text"><i class="fa fa-arrow-right"></i> <?php lang("view items"); ?></a>
             </div>
         </div>
     </div>
@@ -25,7 +25,7 @@ redirectifnotloggedin();
                 <h1><i class="fa fa-fw fa-tachometer"></i> <?php echo $lowcnt; ?></h1>
             </div>
             <div class="panel-footer">
-                <a href="app.php?page=items&filter=stock" style="color: black;"><i class="fa fa-arrow-right"></i> <?php lang("view understocked"); ?></a>
+                <a href="app.php?page=items&filter=stock" class="black-text"><i class="fa fa-arrow-right"></i> <?php lang("view understocked"); ?></a>
             </div>
         </div>
     </div>
diff --git a/pages/items.php b/pages/items.php
index f071c08..a99994c 100644
--- a/pages/items.php
+++ b/pages/items.php
@@ -5,14 +5,14 @@ require_once __DIR__ . "/../lib/userinfo.php";
 redirectifnotloggedin();
 ?>
 
-<div class="btn-group" style="margin-bottom: 10px;">
+<div class="btn-group mgn-btm-10px">
     <a href="app.php?page=edititem" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new item"); ?></a>
 </div>
 <?php if ($_GET['filter'] == 'stock') { ?>
-<script>var filter = "stock";</script>
+<script nonce="<?php echo $SECURE_NONCE; ?>">var filter = "stock";</script>
 <div class="alert alert-blue-grey"><i class="fa fa-filter fa-fw"></i> <?php lang("only showing understocked"); ?> &nbsp; <a href="app.php?page=items" class="btn btn-sm btn-blue-grey"><?php lang("show all items"); ?></a></div>
 <?php } else {
-    echo "<script>var filter = null;</script>\n";
+    echo "<script nonce=\"$SECURE_NONCE\">var filter = null;</script>\n";
 }
 ?>
 <table id="itemtable" class="table table-bordered table-striped">
diff --git a/pages/locations.php b/pages/locations.php
index e0f449c..94a1e5f 100644
--- a/pages/locations.php
+++ b/pages/locations.php
@@ -3,7 +3,7 @@ require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
 ?>
-<div class="btn-group" style="margin-bottom: 10px;">
+<div class="btn-group mgn-btm-10px">
     <a href="app.php?page=editloc" class="btn btn-success"><i class="fa fa-plus"></i> <?php lang("new location"); ?></a>
 </div>
 <table id="loctable" class="table table-bordered table-striped">
diff --git a/required.php b/required.php
index 14fb684..ac71b36 100644
--- a/required.php
+++ b/required.php
@@ -10,12 +10,43 @@ header('Content-Type: text/html; charset=utf-8');
 // l33t $ecurity h4x
 header('X-Content-Type-Options: nosniff');
 header('X-XSS-Protection: 1; mode=block');
+header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
+header('X-Frame-Options: "DENY"');
+header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
+$SECURE_NONCE = base64_encode(random_bytes(8));
+
+
 $session_length = 60 * 60; // 1 hour
 session_set_cookie_params($session_length, "/", null, false, false);
 
 session_start(); // stick some cookies in it
 // renew session cookie
 setcookie(session_name(), session_id(), time() + $session_length);
+
+if ($_SESSION['mobile'] === TRUE) {
+    header("Content-Security-Policy: "
+            . "default-src 'self';"
+            . "object-src 'none'; "
+            . "img-src * data:; "
+            . "media-src 'self'; "
+            . "frame-src 'none'; "
+            . "font-src 'self'; "
+            . "connect-src *; "
+            . "style-src 'self' 'unsafe-inline'; "
+            . "script-src 'self' 'unsafe-inline'");
+} else {
+    header("Content-Security-Policy: "
+            . "default-src 'self';"
+            . "object-src 'none'; "
+            . "img-src * data:; "
+            . "media-src 'self'; "
+            . "frame-src 'none'; "
+            . "font-src 'self'; "
+            . "connect-src *; "
+            . "style-src 'self' 'nonce-$SECURE_NONCE'; "
+            . "script-src 'self' 'nonce-$SECURE_NONCE'");
+}
+
 //
 // Composer
 require __DIR__ . '/vendor/autoload.php';
@@ -32,7 +63,21 @@ require __DIR__ . '/lang/' . LANGUAGE . ".php";
  * @param string $error error message
  */
 function sendError($error) {
-    die("<!DOCTYPE html><html><head><title>Error</title></head><body><h1 style='color: red; font-family: sans-serif; font-size:100%;'>" . htmlspecialchars($error) . "</h1></body></html>");
+    global $SECURE_NONCE;
+    die("<!DOCTYPE html>"
+            . "<meta charset=\"UTF-8\">"
+            . "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">"
+            . "<title>Error</title>"
+            . "<style nonce=\"" . $SECURE_NONCE . "\">"
+            . "h1 {color: red; font-family: sans-serif; font-size: 20px; margin-bottom: 0px;} "
+            . "h2 {font-family: sans-serif; font-size: 16px;} "
+            . "p {font-family: monospace; font-size: 14px; width: 100%; wrap-style: break-word;} "
+            . "i {font-size: 12px;}"
+            . "</style>"
+            . "<h1>A fatal application error has occurred.</h1>"
+            . "<i>(This isn't your fault.)</i>"
+            . "<h2>Details:</h2>"
+            . "<p>". htmlspecialchars($error) . "</p>");
 }
 
 date_default_timezone_set(TIMEZONE);
diff --git a/static/css/app.css b/static/css/app.css
index e07d4d8..ca234cc 100644
--- a/static/css/app.css
+++ b/static/css/app.css
@@ -9,6 +9,28 @@
     font-size: 110%;
 }
 
+.navbar-brand img {
+    height: 35px;
+    padding-bottom: 12px;
+    padding-left: 5px;
+}
+
+.pad-75px {
+    height: 75px;
+}
+
+.mgn-btm-10px {
+    margin-bottom: 10px;
+}
+
+.mgn-top-8px {
+    margin-top: 8px;
+}
+
+.black-text {
+    color: black;
+}
+
 .footer {
     margin-top: 10em;
     text-align: center;