Menu
▾
▴
[DAViCal-devel] debian package - potential security issue?
|
From: Ján M. <jan...@in...> - 2023-10-22 22:49:16
|
Hi all, the current Debian Bookworm package: Package: davical Version: 1.1.12-2 contains the following file: /etc/apache2/sites-available/davical.conf with the following content: # All content for our UI should be served locally. <FilesMatch "(admin|help|iSchedule|index|metrics|public|setup|tools|upgrade).php"> Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'" </FilesMatch> where the interesting part is: form-action 'self' sis.redsys.es Why is DAViCal server allowed to send forms to sis.redsys.es? JM |
