gitea: backport CSP patch in markdown renderer

See https://github.com/NixOS/nixpkgs/pull/304494#issuecomment-2059284122

2 files changed, 23 insertions, 0 deletions

diff --git a/pkgs/applications/version-management/gitea/csp-early-1.21.11.patch b/pkgs/applications/version-management/gitea/csp-early-1.21.11.patch
new file mode 100644
index 0000000000000..2b479fb21cf7b
--- /dev/null
+++ b/pkgs/applications/version-management/gitea/csp-early-1.21.11.patch
@@ -0,0 +1,20 @@
+diff --git a/routers/web/repo/render.go b/routers/web/repo/render.go
+index f07b4e8c11..1fcaa83c4f 100644
+--- a/routers/web/repo/render.go
++++ b/routers/web/repo/render.go
+@@ -44,6 +44,7 @@ func RenderFile(ctx *context.Context) {
+ 	isTextFile := st.IsText()
+ 
+ 	rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc))
++	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")
+ 
+ 	if markupType := markup.Type(blob.Name()); markupType == "" {
+ 		if isTextFile {
+@@ -62,7 +63,6 @@ func RenderFile(ctx *context.Context) {
+ 		treeLink += "/" + util.PathEscapeSegments(ctx.Repo.TreePath)
+ 	}
+ 
+-	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")
+ 	err = markup.Render(&markup.RenderContext{
+ 		Ctx:              ctx,
+ 		RelativePath:     ctx.Repo.TreePath,
diff --git a/pkgs/applications/version-management/gitea/default.nix b/pkgs/applications/version-management/gitea/default.nix
index 9f452d73f46ed..58f73aa4bc56a 100644
--- a/pkgs/applications/version-management/gitea/default.nix
+++ b/pkgs/applications/version-management/gitea/default.nix
@@ -39,6 +39,9 @@ buildGoModule rec {
       hash = "sha256-cThW3EnHR695thajbnmfNziVB/iBP9OPeDgWbszYIeg=";
     })
     ./XSS-vulnerabilities-1.21.6.patch
+
+    # Derived from https://github.com/go-gitea/gitea/pull/30136
+    ./csp-early-1.21.11.patch
   ];
 
   postPatch = ''