Mercurial > hg > orthanc
diff OrthancFramework/Sources/HttpServer/HttpOutput.cpp @ 5462:505416b269a0
Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity)
author | Alain Mazy <am@osimis.io> |
---|---|
date | Tue, 12 Dec 2023 10:13:49 +0100 |
parents | 59e3b6f8c5be |
children | 8f1a0ba5c759 |
line wrap: on
line diff
--- a/OrthancFramework/Sources/HttpServer/HttpOutput.cpp Mon Dec 11 16:18:57 2023 +0100 +++ b/OrthancFramework/Sources/HttpServer/HttpOutput.cpp Tue Dec 12 10:13:49 2023 +0100 @@ -318,6 +318,8 @@ isDeflateAllowed_(false), isGzipAllowed_(false) { + // prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options + stateMachine_.AddHeader("X-Content-Type-Options", "nosniff"); } void HttpOutput::SetDeflateAllowed(bool allowed) @@ -351,8 +353,8 @@ void HttpOutput::SendStatus(HttpStatus status, - const char* message, - size_t messageSize) + const char* message, + size_t messageSize) { if (status == HttpStatus_301_MovedPermanently || //status == HttpStatus_401_Unauthorized || @@ -363,6 +365,13 @@ } stateMachine_.SetHttpStatus(status); + + if (messageSize > 0) + { + // we assume that the body always contains a json description of the error + stateMachine_.SetContentType("application/json"); + } + stateMachine_.SendBody(message, messageSize); }