Merge pull request #8967 from Chocobo1/protect

Add options to control WebUI security measures
2025-12-23 16:58:06 -06:00 · 2018-05-28 14:21:53 +08:00
parent 2ef7adec89 9eeef0be97
commit 4a51f14328
8 changed files with 105 additions and 21 deletions
--- a/src/gui/optionsdlg.cpp
+++ b/src/gui/optionsdlg.cpp
@@ -378,6 +378,8 @@ OptionsDialog::OptionsDialog(QWidget *parent)
    connect(m_ui->checkBypassLocalAuth, &QAbstractButton::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->checkBypassAuthSubnetWhitelist, &QAbstractButton::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->checkBypassAuthSubnetWhitelist, &QAbstractButton::toggled, m_ui->IPSubnetWhitelistButton, &QPushButton::setEnabled);
+    connect(m_ui->checkClickjacking, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
+    connect(m_ui->checkCSRFProtection, &QCheckBox::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->checkDynDNS, &QGroupBox::toggled, this, &ThisType::enableApplyButton);
    connect(m_ui->comboDNSService, qComboBoxCurrentIndexChanged, this, &ThisType::enableApplyButton);
    connect(m_ui->domainNameTxt, &QLineEdit::textChanged, this, &ThisType::enableApplyButton);
@@ -694,6 +696,9 @@ void OptionsDialog::saveOptions()
        pref->setWebUiPassword(webUiPassword());
        pref->setWebUiLocalAuthEnabled(!m_ui->checkBypassLocalAuth->isChecked());
        pref->setWebUiAuthSubnetWhitelistEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());
+        // Security
+        pref->setWebUiClickjackingProtectionEnabled(m_ui->checkClickjacking->isChecked());
+        pref->setWebUiCSRFProtectionEnabled(m_ui->checkCSRFProtection->isChecked());
        // DynDNS
        pref->setDynDNSEnabled(m_ui->checkDynDNS->isChecked());
        pref->setDynDNSService(m_ui->comboDNSService->currentIndex());
@@ -1096,6 +1101,10 @@ void OptionsDialog::loadOptions()
    m_ui->checkBypassAuthSubnetWhitelist->setChecked(pref->isWebUiAuthSubnetWhitelistEnabled());
    m_ui->IPSubnetWhitelistButton->setEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());

+    // Security
+    m_ui->checkClickjacking->setChecked(pref->isWebUiClickjackingProtectionEnabled());
+    m_ui->checkCSRFProtection->setChecked(pref->isWebUiCSRFProtectionEnabled());
+
    m_ui->checkDynDNS->setChecked(pref->isDynDNSEnabled());
    m_ui->comboDNSService->setCurrentIndex(static_cast<int>(pref->getDynDNSService()));
    m_ui->domainNameTxt->setText(pref->getDynDomainName());
--- a/src/gui/optionsdlg.ui
+++ b/src/gui/optionsdlg.ui
@@ -3168,6 +3168,20 @@ Use ';' to split multiple entries. Can use wildcard '*'.</string>
                 </layout>
                </widget>
               </item>
+               <item>
+                <widget class="QCheckBox" name="checkClickjacking">
+                 <property name="text">
+                  <string>Enable clickjacking protection</string>
+                 </property>
+                </widget>
+               </item>
+               <item>
+                <widget class="QCheckBox" name="checkCSRFProtection">
+                 <property name="text">
+                  <string>Enable Cross-Site Request Forgery (CSRF) protection</string>
+                 </property>
+                </widget>
+               </item>
               <item>
                <widget class="QGroupBox" name="checkDynDNS">
                 <property name="title">