3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/bca09a437845/ Changeset: bca09a437845 Branch: next-stable User: jmchilton Date: 2014-11-25 14:59:40+00:00 Summary: Enable defense against clickjacking out of the box. Look in config/galaxy.ini.sample for the option 'x_frame_options' for more information. Affected #: 3 files diff -r c1a9ed13d5f71deb671ab83ed262c0a861c469d2 -r bca09a437845ad229b141a33174894e90f36d916 config/galaxy.ini.sample --- a/config/galaxy.ini.sample +++ b/config/galaxy.ini.sample @@ -523,6 +523,15 @@ # it faster on the fly. #upstream_gzip = False +# The following default adds a header to web request responses that will cause +# modern web browsers to not allow Galaxy to be embedded in the frames of web +# applications hosted at other hosts - this can help prevent a class of attack +# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you +# configuring a proxy to sit infront of Galaxy - please ensure this header +# remains intact to protect your users. Uncomment and leave empty to not set +# the `X-Frame-Options` header. +#x_frame_options = SAMEORIGIN + # nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module. # Configuration for this is complex and explained in detail in the # documentation linked above. The upload store is a temporary directory in diff -r c1a9ed13d5f71deb671ab83ed262c0a861c469d2 -r bca09a437845ad229b141a33174894e90f36d916 lib/galaxy/config.py --- a/lib/galaxy/config.py +++ b/lib/galaxy/config.py @@ -96,6 +96,7 @@ # been migrated from the Galaxy code distribution to the Tool Shed. self.check_migrate_tools = string_as_bool( kwargs.get( 'check_migrate_tools', True ) ) self.shed_tool_data_path = kwargs.get( "shed_tool_data_path", None ) + self.x_frame_options = kwargs.get( "x_frame_options", "SAMEORIGIN" ) if self.shed_tool_data_path: self.shed_tool_data_path = resolve_path( self.shed_tool_data_path, self.root ) else: diff -r c1a9ed13d5f71deb671ab83ed262c0a861c469d2 -r bca09a437845ad229b141a33174894e90f36d916 lib/galaxy/web/framework/webapp.py --- a/lib/galaxy/web/framework/webapp.py +++ b/lib/galaxy/web/framework/webapp.py @@ -175,7 +175,11 @@ base.DefaultWebTransaction.__init__( self, environ ) self.setup_i18n() self.expunge_all() - self.debug = asbool( self.app.config.get( 'debug', False ) ) + config = self.app.config + self.debug = asbool( config.get( 'debug', False ) ) + x_frame_options = getattr( config, 'x_frame_options', None ) + if x_frame_options: + self.response.headers['X-Frame-Options'] = x_frame_options # Flag indicating whether we are in workflow building mode (means # that the current history should not be used for parameter values # and such). @@ -202,9 +206,9 @@ # When we've authenticated by session, we have to check the # following. # Prevent deleted users from accessing Galaxy - if self.app.config.use_remote_user and self.galaxy_session.user.deleted: + if config.use_remote_user and self.galaxy_session.user.deleted: self.response.send_redirect( url_for( '/static/user_disabled.html' ) ) - if self.app.config.require_login: + if config.require_login: self._ensure_logged_in_user( environ, session_cookie ) def setup_i18n( self ): https://bitbucket.org/galaxy/galaxy-central/commits/696b29477881/ Changeset: 696b29477881 Branch: next-stable User: jmchilton Date: 2014-11-25 14:59:40+00:00 Summary: Issue session cookies using 'secure' flag for HTTPS requests. For more information see https://www.owasp.org/index.php/SecureFlag. Affected #: 1 file diff -r bca09a437845ad229b141a33174894e90f36d916 -r 696b294778817e68975140bde91894dce5f82299 lib/galaxy/web/framework/webapp.py --- a/lib/galaxy/web/framework/webapp.py +++ b/lib/galaxy/web/framework/webapp.py @@ -265,6 +265,9 @@ tstamp = time.localtime( time.time() + 3600 * 24 * age ) self.response.cookies[name]['expires'] = time.strftime( '%a, %d-%b-%Y %H:%M:%S GMT', tstamp ) self.response.cookies[name]['version'] = version + https = self.request.environ[ "wsgi.url_scheme" ] == "https" + if https: + self.response.cookies[name]['secure'] = True try: self.response.cookies[name]['httponly'] = True except CookieError, e: https://bitbucket.org/galaxy/galaxy-central/commits/c7d09076b630/ Changeset: c7d09076b630 Branch: next-stable User: dannon Date: 2014-11-25 17:27:41+00:00 Summary: Merged in jmchilton/galaxy-central-fork-1/next-stable (pull request #573) Enhanced client security. Affected #: 3 files diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 config/galaxy.ini.sample --- a/config/galaxy.ini.sample +++ b/config/galaxy.ini.sample @@ -523,6 +523,15 @@ # it faster on the fly. #upstream_gzip = False +# The following default adds a header to web request responses that will cause +# modern web browsers to not allow Galaxy to be embedded in the frames of web +# applications hosted at other hosts - this can help prevent a class of attack +# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you +# configuring a proxy to sit infront of Galaxy - please ensure this header +# remains intact to protect your users. Uncomment and leave empty to not set +# the `X-Frame-Options` header. +#x_frame_options = SAMEORIGIN + # nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module. # Configuration for this is complex and explained in detail in the # documentation linked above. The upload store is a temporary directory in diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 lib/galaxy/config.py --- a/lib/galaxy/config.py +++ b/lib/galaxy/config.py @@ -96,6 +96,7 @@ # been migrated from the Galaxy code distribution to the Tool Shed. self.check_migrate_tools = string_as_bool( kwargs.get( 'check_migrate_tools', True ) ) self.shed_tool_data_path = kwargs.get( "shed_tool_data_path", None ) + self.x_frame_options = kwargs.get( "x_frame_options", "SAMEORIGIN" ) if self.shed_tool_data_path: self.shed_tool_data_path = resolve_path( self.shed_tool_data_path, self.root ) else: diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 lib/galaxy/web/framework/webapp.py --- a/lib/galaxy/web/framework/webapp.py +++ b/lib/galaxy/web/framework/webapp.py @@ -175,7 +175,11 @@ base.DefaultWebTransaction.__init__( self, environ ) self.setup_i18n() self.expunge_all() - self.debug = asbool( self.app.config.get( 'debug', False ) ) + config = self.app.config + self.debug = asbool( config.get( 'debug', False ) ) + x_frame_options = getattr( config, 'x_frame_options', None ) + if x_frame_options: + self.response.headers['X-Frame-Options'] = x_frame_options # Flag indicating whether we are in workflow building mode (means # that the current history should not be used for parameter values # and such). @@ -202,9 +206,9 @@ # When we've authenticated by session, we have to check the # following. # Prevent deleted users from accessing Galaxy - if self.app.config.use_remote_user and self.galaxy_session.user.deleted: + if config.use_remote_user and self.galaxy_session.user.deleted: self.response.send_redirect( url_for( '/static/user_disabled.html' ) ) - if self.app.config.require_login: + if config.require_login: self._ensure_logged_in_user( environ, session_cookie ) def setup_i18n( self ): @@ -261,6 +265,9 @@ tstamp = time.localtime( time.time() + 3600 * 24 * age ) self.response.cookies[name]['expires'] = time.strftime( '%a, %d-%b-%Y %H:%M:%S GMT', tstamp ) self.response.cookies[name]['version'] = version + https = self.request.environ[ "wsgi.url_scheme" ] == "https" + if https: + self.response.cookies[name]['secure'] = True try: self.response.cookies[name]['httponly'] = True except CookieError, e: Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.