Mercurial > hg > orthanc
diff OrthancServer/Sources/OrthancRestApi/OrthancRestResources.cpp @ 5200:f8f1c4a9a216
New configuration option 'RestApiWriteToFileSystemEnabled'
author | Alain Mazy <am@osimis.io> |
---|---|
date | Wed, 29 Mar 2023 11:23:37 +0200 |
parents | 0ea402b4d901 |
children | d0f7c742d397 |
line wrap: on
line diff
--- a/OrthancServer/Sources/OrthancRestApi/OrthancRestResources.cpp Tue Mar 28 10:48:13 2023 +0200 +++ b/OrthancServer/Sources/OrthancRestApi/OrthancRestResources.cpp Wed Mar 29 11:23:37 2023 +0200 @@ -428,7 +428,12 @@ call.GetDocumentation() .SetTag("Instances") .SetSummary("Write DICOM onto filesystem") - .SetDescription("Write the DICOM file onto the filesystem where Orthanc is running") + .SetDescription("Write the DICOM file onto the filesystem where Orthanc is running. This is insecure for " + "Orthanc servers that are remotely accessible since one could overwrite any system file. " + "Since Orthanc 1.12.0, this route is disabled by default and can be enabled thanks to " + "the `RestApiWriteToFileSystemEnabled` configuration.") + .AddRequestType(MimeType_PlainText, "The Lua script to be executed") + .SetUriArgument("id", "Orthanc identifier of the DICOM instance of interest") .AddRequestType(MimeType_PlainText, "Target path on the filesystem"); return; @@ -436,6 +441,14 @@ ServerContext& context = OrthancRestApi::GetContext(call); + if (!context.IsRestApiWriteToFileSystemEnabled()) + { + LOG(ERROR) << "The URI /instances/../export is disallowed for security, " + << "check your configuration option `RestApiWriteToFileSystemEnabled`"; + call.GetOutput().SignalError(HttpStatus_403_Forbidden); + return; + } + std::string publicId = call.GetUriComponent("id", ""); std::string dicom;