Merge 26.3 to develop

Author: labkey-teamcity

dependencyCheckSuppression.xml

@@ -250,4 +250,37 @@
         <cpe>cpe:/a:vmware:server</cpe>
         <cpe>cpe:/a:vmware:vmware_server</cpe>
     </suppress>
+
+    <!--
+    Some PDFBox example code (ExtractEmbeddedFiles) contains a path traversal vulnerability. The example code isn't
+    packaged in any jars and we already have checks in place to prevent path traversal vulnerabilities.
+    -->
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-debugger-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-debugger@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-io-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-io@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: pdfbox-tools-3.0.4.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.pdfbox/pdfbox-tools@.*$</packageUrl>
+        <cve>CVE-2026-23907</cve>
+    </suppress>
 </suppressions>

server/embedded/src/org/labkey/embedded/LabKeyServer.java

@@ -79,16 +79,17 @@ public static void main(String[] args)
                 script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ${SCRIPT.SOURCES} ;
                 base-uri 'self' ;
                 frame-src 'self' ${FRAME.SOURCES} ;
+                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api ;
             """;
         // Add upgrade_insecure_requests substitution, frame-ancestors, and enforce version
         String enforceCsp = baseCsp + """
                 ${UPGRADE.INSECURE.REQUESTS}
                 frame-ancestors 'self' ;
-                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=e14 ;
+                /* cspVersion=e15 */
             """;
         // Leave out upgrade_insecure_requests and frame-ancestors directives, since they produce warnings on some browsers
         String reportCsp = baseCsp + """
-                report-uri ${context.contextPath:}/admin-contentSecurityPolicyReport.api?cspVersion=r14 ;
+                /* cspVersion=r15 */
             """;
 
         application.setDefaultProperties(new HashMap<>()