Mercurial > hg > orthanc

diff OrthancFramework/Sources/HttpServer/HttpOutput.cpp @ 5462:505416b269a0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity)
author Alain Mazy <am@osimis.io>
date Tue, 12 Dec 2023 10:13:49 +0100
parents 59e3b6f8c5be
children 8f1a0ba5c759
line wrap: on
line diff
--- a/OrthancFramework/Sources/HttpServer/HttpOutput.cpp	Mon Dec 11 16:18:57 2023 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpOutput.cpp	Tue Dec 12 10:13:49 2023 +0100
@@ -318,6 +318,8 @@
     isDeflateAllowed_(false),
     isGzipAllowed_(false)
   {
+    // prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
+    stateMachine_.AddHeader("X-Content-Type-Options", "nosniff");
   }
 
   void HttpOutput::SetDeflateAllowed(bool allowed)
@@ -351,8 +353,8 @@
 
 
   void HttpOutput::SendStatus(HttpStatus status,
-			      const char* message,
-			      size_t messageSize)
+                              const char* message,
+                              size_t messageSize)
   {
     if (status == HttpStatus_301_MovedPermanently ||
         //status == HttpStatus_401_Unauthorized ||
@@ -363,6 +365,13 @@
     }
     
     stateMachine_.SetHttpStatus(status);
+
+    if (messageSize > 0)
+    {
+      // we assume that the body always contains a json description of the error
+      stateMachine_.SetContentType("application/json");
+    }
+
     stateMachine_.SendBody(message, messageSize);
   }