Mercurial > hg > orthanc-authorization
diff Plugin/DefaultAuthorizationParser.cpp @ 77:94a9484d7f8f
fix security issues allowing to browse remote dicom servers + introduced UnitTests
author | Alain Mazy <am@osimis.io> |
---|---|
date | Wed, 15 Mar 2023 16:36:42 +0100 |
parents | 1a13c4fbc9a1 |
children | 0ffad746a16b |
line wrap: on
line diff
--- a/Plugin/DefaultAuthorizationParser.cpp Thu Mar 09 14:37:52 2023 +0100 +++ b/Plugin/DefaultAuthorizationParser.cpp Wed Mar 15 16:36:42 2023 +0100 @@ -50,7 +50,7 @@ "^" + tmp + "/studies/([.0-9]+)/series/([.0-9]+)/instances/([.0-9]+)(|/|/frames/.*)$"); dicomWebQidoRsFind_ = boost::regex( - "^" + tmp + "/(studies|series|instances)\?(.*)$"); + "^" + tmp + "/(studies|series|instances)$"); } @@ -134,40 +134,46 @@ } else if (boost::regex_match(uri, what, dicomWebQidoRsFind_)) { - std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid; + std::string studyInstanceUid, seriesInstanceUid, sopInstanceUid, patientId; studyInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000D", ""); seriesInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "0020000E", ""); sopInstanceUid = Orthanc::HttpToolbox::GetArgument(getArguments, "00080018", ""); + patientId = Orthanc::HttpToolbox::GetArgument(getArguments, "00100010", ""); if (!sopInstanceUid.empty() && !seriesInstanceUid.empty() && !studyInstanceUid.empty()) { AddDicomInstance(target, studyInstanceUid, seriesInstanceUid, sopInstanceUid); + return true; } else if (!seriesInstanceUid.empty() && !studyInstanceUid.empty()) { AddDicomSeries(target, studyInstanceUid, seriesInstanceUid); + return true; } else if (!studyInstanceUid.empty()) { AddDicomStudy(target, studyInstanceUid); + return true; } - return true; + else if (!patientId.empty()) + { + AddDicomPatient(target, patientId); + return true; + } } - else - { - // Unknown type of resource: Consider it as a system access + + // Unknown type of resource: Consider it as a system access - // Remove the trailing slashes if need be - std::string s = uri; - while (!s.empty() && - s[s.length() - 1] == '/') - { - s = s.substr(0, s.length() - 1); - } - - target.push_back(AccessedResource(AccessLevel_System, s, "")); - return true; - } + // Remove the trailing slashes if need be + std::string s = uri; + while (!s.empty() && + s[s.length() - 1] == '/') + { + s = s.substr(0, s.length() - 1); + } + + target.push_back(AccessedResource(AccessLevel_System, s, "")); + return true; } }