From bd155b39fec86c2115f5555a023fce807e6d15f4 Mon Sep 17 00:00:00 2001
From: thom <thom@amsterdamtech.nl>
Date: Fri, 24 Jul 2020 23:30:15 +0200
Subject: [PATCH 1/4] Set DirectoryIndex and unset CSP for /stats

---
 server/plugins-available/apache2_plugin.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 26f2948256..174228eb48 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -1841,7 +1841,7 @@ class apache2_plugin {
 
 		if($data['new']['stats_type'] != '') {
 			if(!is_dir($data['new']['document_root'].'/' . $web_folder . '/stats')) $app->system->mkdir($data['new']['document_root'].'/' . $web_folder . '/stats');
-			$ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user";
+			$ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user\nDirectoryIndex index.php\nHeader unset Content-Security-Policy";
 			$app->system->file_put_contents($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', $ht_file);
 			$app->system->chmod($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', 0755);
 			unset($ht_file);
-- 
GitLab


From b63fa47694fe3a0f4b002b7d426c12862c82bf50 Mon Sep 17 00:00:00 2001
From: thom <thom@amsterdamtech.nl>
Date: Sat, 25 Jul 2020 19:28:06 +0200
Subject: [PATCH 2/4] Set DirectoryIndex

---
 server/plugins-available/apache2_plugin.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 174228eb48..0153b2597d 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -1841,7 +1841,7 @@ class apache2_plugin {
 
 		if($data['new']['stats_type'] != '') {
 			if(!is_dir($data['new']['document_root'].'/' . $web_folder . '/stats')) $app->system->mkdir($data['new']['document_root'].'/' . $web_folder . '/stats');
-			$ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user\nDirectoryIndex index.php\nHeader unset Content-Security-Policy";
+			$ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user\nDirectoryIndex index.html index.htm index.php\nHeader unset Content-Security-Policy";
 			$app->system->file_put_contents($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', $ht_file);
 			$app->system->chmod($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', 0755);
 			unset($ht_file);
-- 
GitLab


From 5bbacaa1367637fe86716432c29d48facb76084d Mon Sep 17 00:00:00 2001
From: thom <thom@amsterdamtech.nl>
Date: Sat, 25 Jul 2020 19:35:26 +0200
Subject: [PATCH 3/4] Set DirectoryIndex - index.html and index.php

---
 server/plugins-available/apache2_plugin.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 0153b2597d..ea85c51a2b 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -1841,7 +1841,7 @@ class apache2_plugin {
 
 		if($data['new']['stats_type'] != '') {
 			if(!is_dir($data['new']['document_root'].'/' . $web_folder . '/stats')) $app->system->mkdir($data['new']['document_root'].'/' . $web_folder . '/stats');
-			$ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user\nDirectoryIndex index.html index.htm index.php\nHeader unset Content-Security-Policy";
+			$ht_file = "AuthType Basic\nAuthName \"Members Only\"\nAuthUserFile ".$data['new']['document_root']."/web/stats/.htpasswd_stats\nrequire valid-user\nDirectoryIndex index.html index.php\nHeader unset Content-Security-Policy";
 			$app->system->file_put_contents($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', $ht_file);
 			$app->system->chmod($data['new']['document_root'].'/' . $web_folder . '/stats/.htaccess', 0755);
 			unset($ht_file);
-- 
GitLab


From 61eac82c2b579b94eb1152ce52285dc681a99214 Mon Sep 17 00:00:00 2001
From: thom <thom@amsterdamtech.nl>
Date: Sat, 25 Jul 2020 19:42:28 +0200
Subject: [PATCH 4/4] Add CSP for /stats

---
 server/conf/nginx_vhost.conf.master | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/conf/nginx_vhost.conf.master b/server/conf/nginx_vhost.conf.master
index ce245787a5..3fc50cc108 100644
--- a/server/conf/nginx_vhost.conf.master
+++ b/server/conf/nginx_vhost.conf.master
@@ -168,6 +168,7 @@ server {
             index index.html index.php;
             auth_basic "Members Only";
             auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
+            add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline';";
         }
 
         location ^~ /awstats-icon {
-- 
GitLab