fix: Make sure CSP nonce is not double base64 encoded

Signed-off-by: Ferdinand Thiessen <[email protected]>
nextcloud · Aug 2, 2024 · 2d57994 · 2d57994
1 parent 96a0092
commit 2d57994
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
@@ -30,7 +30,10 @@ public function __construct(
 	public function getNonce(): string {
 		if ($this->nonce === '') {
 			if (empty($this->request->server['CSP_NONCE'])) {
-				$this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue());
+				// Get the token from the CSRF token, we only use the "shared secret" part
+				// as the first part does not add any security / entropy to the token
+				// so it can be ignored to keep the nonce short while keeping the same randomness
+				$this->nonce = end(explode(':', ($this->csrfTokenManager->getToken()->getEncryptedValue())));
 			} else {
 				$this->nonce = $this->request->server['CSP_NONCE'];
 			}

diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
@@ -89,7 +89,7 @@ public function useStrictDynamicOnScripts(bool $state = false): self {
 	}
 
 	/**
-	 * Use the according JS nonce
+	 * Use the according base64 encoded JS nonce
 	 * This method is only for CSPMiddleware, custom values are ignored in mergePolicies of ContentSecurityPolicyManager
 	 *
 	 * @param string $nonce
@@ -448,7 +448,7 @@ public function buildPolicy() {
 				if ($this->strictDynamicAllowed) {
 					$scriptSrc .= '\'strict-dynamic\' ';
 				}
-				$scriptSrc .= '\'nonce-'.base64_encode($this->jsNonce).'\'';
+				$scriptSrc .= '\'nonce-'.$this->jsNonce.'\'';
 				$allowedScriptDomains = array_flip($this->allowedScriptDomains);
 				unset($allowedScriptDomains['\'self\'']);
 				$this->allowedScriptDomains = array_flip($allowedScriptDomains);