From ae5ced392c6d24f002946109d0d0014be93209b0 Mon Sep 17 00:00:00 2001
From: JediKev <kevin@enhancesoft.com>
Date: Thu, 11 Apr 2019 12:13:22 -0500
Subject: [PATCH] issue: iFrame Single Quotes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's all about the single quotes baby! Apparently I can't read; the single
quotes are only meant for word options such as `'self'` and `'none'`. When
adding single quotes to the `<host-source>` options it takes them
literally…too literally. For example, if your options are `'localhost:80
localhost:8080 localhost:8000'` then `'localhost:80` and `localhost:8000'`
will be seen as "invalid" due to the single quotes. This removes the single
quotes from every line that sets the CSP so all options are valid. This also
adds single quotes around the `self` option so it stays valid as well.
---
 include/class.config.php       | 2 +-
 include/client/header.inc.php  | 2 +-
 include/staff/header.inc.php   | 2 +-
 include/staff/login.header.php | 2 +-
 setup/inc/header.inc.php       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/class.config.php b/include/class.config.php
index 0f046d345..116c5253e 100644
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -430,7 +430,7 @@ class OsticketConfig extends Config {
     }
 
     function getAllowIframes() {
-        return str_replace(array(', ', ','), array(' ', ' '), $this->get('allow_iframes')) ?: 'self';
+        return str_replace(array(', ', ','), array(' ', ' '), $this->get('allow_iframes')) ?: "'self'";
     }
 
     function isAvatarsEnabled() {
diff --git a/include/client/header.inc.php b/include/client/header.inc.php
index 8c248b158..e26d4b503 100644
--- a/include/client/header.inc.php
+++ b/include/client/header.inc.php
@@ -6,7 +6,7 @@ $signin_url = ROOT_PATH . "login.php"
 $signout_url = ROOT_PATH . "logout.php?auth=".$ost->getLinkToken();
 
 header("Content-Type: text/html; charset=UTF-8");
-header("Content-Security-Policy: frame-ancestors '".$cfg->getAllowIframes()."';");
+header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes().";");
 if (($lang = Internationalization::getCurrentLanguage())) {
     $langs = array_unique(array($lang, $cfg->getPrimaryLanguage()));
     $langs = Internationalization::rfc1766($langs);
diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 4de7ccd8f..a5be84994 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: text/html; charset=UTF-8");
-header("Content-Security-Policy: frame-ancestors '".$cfg->getAllowIframes()."';");
+header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes().";");
 
 $title = ($ost && ($title=$ost->getPageTitle()))
     ? $title : ('osTicket :: '.__('Staff Control Panel'));
diff --git a/include/staff/login.header.php b/include/staff/login.header.php
index e1b1b3a5a..2f24f3a17 100644
--- a/include/staff/login.header.php
+++ b/include/staff/login.header.php
@@ -1,6 +1,6 @@
 <?php
 defined('OSTSCPINC') or die('Invalid path');
-header("Content-Security-Policy: frame-ancestors '".$cfg->getAllowIframes()."';");
+header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes().";");
 ?>
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
diff --git a/setup/inc/header.inc.php b/setup/inc/header.inc.php
index 900c143fa..fcb69d3ff 100644
--- a/setup/inc/header.inc.php
+++ b/setup/inc/header.inc.php
@@ -1,6 +1,6 @@
 <?php
 if ($cfg)
-    header("Content-Security-Policy: frame-ancestors '".$cfg->getAllowIframes()."';");
+    header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes().";");
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html4/loose.dtd">
-- 
GitLab