jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #3524 from evazion/feat-hsts

Browse Source 
Fix #3522: Enable HSTS
This commit is contained in:
Albert Yi
2018-04-19 09:41:43 -07:00
committed by GitHub
parent 83b96b4f3f 09462aefeb
commit 503e8adf69
15 changed files with 58 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/application_controller.rb
View File

@@ -11,7 +11,6 @@ class ApplicationController < ActionController::Base
before_action :set_safe_mode before_action :set_safe_mode
# before_action :secure_cookies_check # before_action :secure_cookies_check
layout "default" layout "default"
force_ssl :if => :ssl_login?
helper_method :show_moderation_notice? helper_method :show_moderation_notice?
before_action :enable_cors before_action :enable_cors
@@ -32,10 +31,6 @@ class ApplicationController < ActionController::Base
CurrentUser.can_approve_posts? && (cookies[:moderated].blank? || Time.at(cookies[:moderated].to_i) < 20.hours.ago) CurrentUser.can_approve_posts? && (cookies[:moderated].blank? || Time.at(cookies[:moderated].to_i) < 20.hours.ago)
end end
def ssl_login?
cookies[:ssl_login].present?
end
def enable_cors def enable_cors
response.headers["Access-Control-Allow-Origin"] = "*" response.headers["Access-Control-Allow-Origin"] = "*"
end end

5
app/controllers/user_upgrades_controller.rb
View File

@@ -1,7 +1,6 @@
class UserUpgradesController < ApplicationController class UserUpgradesController < ApplicationController
before_action :member_only, :only => [:new, :show] before_action :member_only, :only => [:new, :show]
helper_method :user helper_method :user
force_ssl :if => :ssl_enabled?
skip_before_action :verify_authenticity_token, only: [:create] skip_before_action :verify_authenticity_token, only: [:create]
def create def create
@@ -57,8 +56,4 @@ class UserUpgradesController < ApplicationController
redirect_to user_upgrade_path redirect_to user_upgrade_path
end end
def ssl_enabled?
!Rails.env.development? && !Rails.env.test?
end
end end

6
app/controllers/users_controller.rb
View File

@@ -71,12 +71,6 @@ class UsersController < ApplicationController
respond_with(@user, location: edit_user_path(@user)) respond_with(@user, location: edit_user_path(@user))
end end
def cache
@user = User.find(params[:id])
@user.update_cache
render plain: ""
end
private private
def check_privilege(user) def check_privilege(user)

8
app/logical/session_creator.rb
View File

@@ -28,14 +28,6 @@ class SessionCreator
} }
end end
if secure
cookies.permanent[:ssl_login] = {
:value => "1",
:secure => true,
:httponly => true
}
end
session[:user_id] = user.id session[:user_id] = user.id
user.update_column(:last_ip_addr, ip_addr) user.update_column(:last_ip_addr, ip_addr)
return true return true

2
app/models/user.rb
View File

@@ -191,7 +191,7 @@ class User < ApplicationRecord
def update_remote_cache def update_remote_cache
if saved_change_to_name? if saved_change_to_name?
Danbooru.config.other_server_hosts.each do |server| Danbooru.config.other_server_hosts.each do |server|
HTTParty.delete("http://#{server}/users/#{id}/cache", Danbooru.config.httparty_options) delay(queue: server).update_cache
end end
end end
rescue Exception rescue Exception

2
app/presenters/post_presenter.rb
View File

@@ -168,7 +168,7 @@ class PostPresenter < Presenter
def safe_mode_message(template) def safe_mode_message(template)
html = ["This image is unavailable on safe mode (#{Danbooru.config.app_name}). Go to "] html = ["This image is unavailable on safe mode (#{Danbooru.config.app_name}). Go to "]
html << template.link_to("Danbooru", "http://danbooru.donmai.us") html << template.link_to("Danbooru", "http://danbooru.donmai.us") # XXX don't hardcode.
html << " or disable safe mode to view (" html << " or disable safe mode to view ("
html << template.link_to("learn more", template.wiki_pages_path(title: "help:user_settings")) html << template.link_to("learn more", template.wiki_pages_path(title: "help:user_settings"))
html << ")." html << ")."

10
app/views/layouts/default.html.erb
View File

@@ -48,9 +48,9 @@
"@context" : "http://schema.org", "@context" : "http://schema.org",
"@type" : "Organization", "@type" : "Organization",
"name" : "<%= Danbooru.config.app_name %>", "name" : "<%= Danbooru.config.app_name %>",
"url" : "http://<%= Danbooru.config.hostname%>", "url" : "<%= root_url %>",
"sameAs" : [ "sameAs" : [
"http://twitter.com/<%= Danbooru.config.twitter_site[1..-1] %>" "https://twitter.com/<%= Danbooru.config.twitter_site[1..-1] %>"
] ]
} }
</script> </script>
@@ -59,10 +59,10 @@
{ {
"@context": "http://schema.org", "@context": "http://schema.org",
"@type": "WebSite", "@type": "WebSite",
"url" : "http://<%= Danbooru.config.hostname %>", "url" : "<%= root_url %>",
"potentialAction": [{ "potentialAction": [{
"@type": "SearchAction", "@type": "SearchAction",
"target": "http://<%= Danbooru.config.hostname %>/posts?tags={search_term_string}", "target": "<%= posts_url %>?tags={search_term_string}",
"query-input": "required name=search_term_string" "query-input": "required name=search_term_string"
}] }]
} }
@@ -73,7 +73,7 @@
"@type": "WebSite", "@type": "WebSite",
"name": "<%= Danbooru.config.app_name %>", "name": "<%= Danbooru.config.app_name %>",
"alternateName": "<%= Danbooru.config.description %>", "alternateName": "<%= Danbooru.config.description %>",
"url" : "http://<%= Danbooru.config.hostname %>" "url" : "<%= root_url %>"
} }
</script> </script>
</head> </head>

2
app/views/legacy/create_post.xml.erb
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<response> <response>
<post-id>0</post-id> <post-id>0</post-id>
<location>http://<%= Danbooru.config.hostname %>/uploads/<%= @upload.id %></location> <location><%= upload_url(@upload) %></location>
</response> </response>

16
app/views/static/mrtg.html.erb
View File

@@ -2,37 +2,37 @@
<h3>5 min</h3> <h3>5 min</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_27-day.png"> <img src="https://mrtg.vinax.net/switch3/switch3_27-day.png">
<h3>30 min</h3> <h3>30 min</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_27-week.png"> <img src="https://mrtg.vinax.net/switch3/switch3_27-week.png">
<h3>2 hour</h3> <h3>2 hour</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_27-month.png"> <img src="https://mrtg.vinax.net/switch3/switch3_27-month.png">
<h3>1 day</h3> <h3>1 day</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_27-year.png"> <img src="https://mrtg.vinax.net/switch3/switch3_27-year.png">
<h1>hijiribe</h1> <h1>hijiribe</h1>
<h3>5 min</h3> <h3>5 min</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_29-day.png"> <img src="https://mrtg.vinax.net/switch3/switch3_29-day.png">
<h3>30 min</h3> <h3>30 min</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_29-week.png"> <img src="https://mrtg.vinax.net/switch3/switch3_29-week.png">
<h3>2 hour</h3> <h3>2 hour</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_29-month.png"> <img src="https://mrtg.vinax.net/switch3/switch3_29-month.png">
<h3>1 day</h3> <h3>1 day</h3>
<img src="http://mrtg.vinax.net/switch3/switch3_29-year.png"> <img src="https://mrtg.vinax.net/switch3/switch3_29-year.png">
<% content_for(:page_title) do %> <% content_for(:page_title) do %>
MRTG - <%= Danbooru.config.app_name %> MRTG - <%= Danbooru.config.app_name %>

2
app/views/users/edit.html.erb
View File

@@ -93,7 +93,7 @@
<%= f.input :disable_responsive_mode, :as => :select, :collection => [["No", "false"], ["Yes", "true"]], :include_blank => false, :hint => "Disable alternative layout for mobile and tablet" %> <%= f.input :disable_responsive_mode, :as => :select, :collection => [["No", "false"], ["Yes", "true"]], :include_blank => false, :hint => "Disable alternative layout for mobile and tablet" %>
<%= f.input :custom_style, :label => "Custom <a href='http://en.wikipedia.org/wiki/Cascading_Style_Sheets'>CSS</a> style".html_safe, :hint => "Style to apply to the whole site.", :input_html => {:size => "40x5"} %> <%= f.input :custom_style, :label => "Custom <a href='https://en.wikipedia.org/wiki/Cascading_Style_Sheets'>CSS</a> style".html_safe, :hint => "Style to apply to the whole site.", :input_html => {:size => "40x5"} %>
</fieldset> </fieldset>
<%= f.button :submit, "Submit" %> <%= f.button :submit, "Submit" %>

15
config/application.rb
View File

@@ -6,11 +6,13 @@ if defined?(Bundler)
end end
Bundler.require(*Rails.groups) Bundler.require(*Rails.groups)
require_relative "danbooru_default_config"
require_relative "danbooru_local_config"
module Danbooru module Danbooru
class Application < Rails::Application class Application < Rails::Application
# Initialize configuration defaults for originally generated Rails version. # Initialize configuration defaults for originally generated Rails version.
config.load_defaults 5.1 config.load_defaults 5.1
config.active_record.schema_format = :sql config.active_record.schema_format = :sql
config.encoding = "utf-8" config.encoding = "utf-8"
config.filter_parameters += [:password] config.filter_parameters += [:password]
@@ -24,6 +26,17 @@ module Danbooru
config.action_mailer.perform_deliveries = true config.action_mailer.perform_deliveries = true
config.log_tags = [lambda {|req| "PID:#{Process.pid}"}] config.log_tags = [lambda {|req| "PID:#{Process.pid}"}]
config.action_controller.action_on_unpermitted_parameters = :raise config.action_controller.action_on_unpermitted_parameters = :raise
config.force_ssl = true
if Rails.env.production? && Danbooru.config.ssl_options.present?
config.ssl_options = Danbooru.config.ssl_options
else
config.ssl_options = {
hsts: false,
secure_cookies: false,
redirect: { exclude: ->(request) { true } }
}
end
if File.exists?("#{config.root}/REVISION") if File.exists?("#{config.root}/REVISION")
config.x.git_hash = File.read("#{config.root}/REVISION").strip config.x.git_hash = File.read("#{config.root}/REVISION").strip

26
config/danbooru_default_config.rb
View File

@@ -198,6 +198,26 @@ module Danbooru
1.week.ago 1.week.ago
end end
# Permanently redirect all HTTP requests to HTTPS.
#
# https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
def ssl_options
{
redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
hsts: {
expires: 1.year,
preload: true,
subdomains: false,
},
}
end
# Disable the forced use of HTTPS.
# def ssl_options
# false
# end
# The name of the server the app is hosted on. # The name of the server the app is hosted on.
def server_host def server_host
Socket.gethostname Socket.gethostname
@@ -772,4 +792,10 @@ module Danbooru
end end
end end
end end
def config
@configuration ||= EnvironmentConfiguration.new
end
module_function :config
end end

10
config/initializers/danbooru_config.rb
View File

@@ -1,10 +0,0 @@
require "#{Rails.root}/config/danbooru_default_config"
require "#{Rails.root}/config/danbooru_local_config"
module Danbooru
def config
@configuration ||= EnvironmentConfiguration.new
end
module_function :config
end

4
config/routes.rb
View File

@@ -291,10 +291,6 @@ Rails.application.routes.draw do
get :search get :search
get :custom_style get :custom_style
end end
member do
delete :cache
end
end end
resource :user_upgrade, :only => [:new, :create, :show] resource :user_upgrade, :only => [:new, :create, :show]
resources :user_feedbacks do resources :user_feedbacks do

2
script/install/nginx.danbooru.conf
View File

@@ -71,7 +71,7 @@ server {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off; proxy_redirect off;
proxy_set_header Host $host:$server_port; proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto http; proxy_set_header X-Forwarded-Proto $scheme;
} }
location / { location / {