From 37a6e60e90da3de376941d55cd78204fbd9ddfa2 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Wed, 18 Oct 2023 13:53:21 +0200
Subject: [PATCH] Do not allow newlines in CSP rules

---
 src/apps.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/apps.js b/src/apps.js
index 6a8b4a0cb..ebf09e92e 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -441,8 +441,8 @@ function validateCsp(csp) {
     if (csp === null) return null;
 
     if (csp.length > 4096) return new BoxError(BoxError.BAD_FIELD, 'CSP must be less than 4096');
-
     if (csp.includes('"')) return new BoxError(BoxError.BAD_FIELD, 'CSP cannot contains double quotes');
+    if (csp.includes('\n')) return new BoxError(BoxError.BAD_FIELD, 'CSP cannot contain newlines');
 
     return null;
 }