Mercurial > hg > orthanc-authorization

comparison Plugin/DefaultAuthorizationParser.cpp @ 77:94a9484d7f8f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix security issues allowing to browse remote dicom servers + introduced UnitTests
author Alain Mazy <am@osimis.io>
date Wed, 15 Mar 2023 16:36:42 +0100
parents 1a13c4fbc9a1
children 0ffad746a16b
comparison
equal deleted inserted replaced
76:d301047ee3c4 77:94a9484d7f8f
48 48
49 dicomWebInstances_ = boost::regex( 49 dicomWebInstances_ = boost::regex(
50 "^" + tmp + "/studies/([.0-9]+)/series/([.0-9]+)/instances/([.0-9]+)(|/|/frames/.*)$"); 50 "^" + tmp + "/studies/([.0-9]+)/series/([.0-9]+)/instances/([.0-9]+)(|/|/frames/.*)$");
51 51
52 dicomWebQidoRsFind_ = boost::regex( 52 dicomWebQidoRsFind_ = boost::regex(
53 "^" + tmp + "/(studies|series|instances)\?(.*)$"); 53 "^" + tmp + "/(studies|series|instances)$");
54 } 54 }
55 55
56 56
57 bool DefaultAuthorizationParser::Parse(AccessedResources& target, 57 bool DefaultAuthorizationParser::Parse(AccessedResources& target,
58 const std::string& uri, 58 const std::string& uri,
132 AddOrthancInstance(target, what[2]); 132 AddOrthancInstance(target, what[2]);
133 return true; 133 return true;
134 } 134 }
135 else if (boost::regex_match(uri, what, dicomWebQidoRsFind_)) 135 else if (boost::regex_match(uri, what, dicomWebQidoRsFind_))
136 { 136 {
137 std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid; 137 std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid, patientId;
138 138
139 studyInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000D", ""); 139 studyInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000D", "");
140 seriesInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000E", ""); 140 seriesInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000E", "");
141 sopInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "00080018", ""); 141 sopInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "00080018", "");
142 patientId = Orthanc::HttpToolbox::GetArgument(getArguments, "00100010", "");
142 143
143 if (!sopInstanceUid.empty() && !seriesInstanceUid.empty() && !studyInstanceUid.empty()) 144 if (!sopInstanceUid.empty() && !seriesInstanceUid.empty() && !studyInstanceUid.empty())
144 { 145 {
145 AddDicomInstance(target, studyInstanceUid, seriesInstanceUid, sopInstanceUid); 146 AddDicomInstance(target, studyInstanceUid, seriesInstanceUid, sopInstanceUid);
147 return true;
146 } 148 }
147 else if (!seriesInstanceUid.empty() && !studyInstanceUid.empty()) 149 else if (!seriesInstanceUid.empty() && !studyInstanceUid.empty())
148 { 150 {
149 AddDicomSeries(target, studyInstanceUid, seriesInstanceUid); 151 AddDicomSeries(target, studyInstanceUid, seriesInstanceUid);
152 return true;
150 } 153 }
151 else if (!studyInstanceUid.empty()) 154 else if (!studyInstanceUid.empty())
152 { 155 {
153 AddDicomStudy(target, studyInstanceUid); 156 AddDicomStudy(target, studyInstanceUid);
157 return true;
154 } 158 }
155 return true; 159 else if (!patientId.empty())
160 {
161 AddDicomPatient(target, patientId);
162 return true;
163 }
156 } 164 }
157 else 165
166 // Unknown type of resource: Consider it as a system access
167
168 // Remove the trailing slashes if need be
169 std::string s = uri;
170 while (!s.empty() &&
171 s[s.length() - 1] == '/')
158 { 172 {
159 // Unknown type of resource: Consider it as a system access 173 s = s.substr(0, s.length() - 1);
160 174 }
161 // Remove the trailing slashes if need be 175
162 std::string s = uri; 176 target.push_back(AccessedResource(AccessLevel_System, s, ""));
163 while (!s.empty() && 177 return true;
164 s[s.length() - 1] == '/')
165 {
166 s = s.substr(0, s.length() - 1);
167 }
168
169 target.push_back(AccessedResource(AccessLevel_System, s, ""));
170 return true;
171 }
172 } 178 }
173 } 179 }