Mercurial > hg > orthanc
view Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch @ 2248:69b0f4e8a49b
Escape multipart type parameter value in Content-Type header
## Summary
Multipart responses do not quote/escape the value of their type
parameter (the subtype) even though it always contains at least one
special character (the slash "/"), which confuses standard-compliant
HTTP clients.
## Details
The Content-Type header in HTTP is in RFC 7231, Section 3.1.1.5:
https://tools.ietf.org/html/rfc7231#section-3.1.1.5
The section defers to the media type section (3.1.1.1) for the syntax of
the media type:
https://tools.ietf.org/html/rfc7231#section-3.1.1.1
This states that a parameter value can be quoted:
parameter = token "=" ( token / quoted-string )
A parameter value that matches the token production can be transmitted
either as a token or within a quoted-string. The quoted and unquoted
values are equivalent.
Tokens are defined in RFC 7230, Section 3.2.6 (via RFC 7231, appendix
C):
https://tools.ietf.org/html/rfc7231#appendix-C
https://tools.ietf.org/html/rfc7230#section-3.2.6
Here we observe that tokens cannot contain a slash "/" character:
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; any VCHAR, except delimiters
Delimiters are chosen from the set of US-ASCII visual characters not
allowed in a token (DQUOTE and "(),/:;<=>?@[\]{}").
However, the current implementation does not quote/escape the value of
the type parameter:
multipart/related; type=application/dicom
Instead, it should be:
multipart/related; type="application/dicom"
All of this also seems to apply to the MIME Content-Type header
definition, even though it is a little different:
https://www.iana.org/assignments/message-headers
https://tools.ietf.org/html/rfc2045#section-5.1
https://tools.ietf.org/html/rfc2387
author | Thibault Nélis <tn@osimis.io> |
---|---|
date | Mon, 16 Jan 2017 13:07:11 +0100 |
parents | 6ac6193a7935 |
children |
line wrap: on
line source
diff -urEb dcmtk-3.6.0.orig/dcmnet/libsrc/dulparse.cc dcmtk-3.6.0/dcmnet/libsrc/dulparse.cc --- dcmtk-3.6.0.orig/dcmnet/libsrc/dulparse.cc 2010-12-01 09:26:36.000000000 +0100 +++ dcmtk-3.6.0/dcmnet/libsrc/dulparse.cc 2016-12-02 15:58:49.930540033 +0100 @@ -393,6 +393,8 @@ return cond; buf += length; + if (presentationLength < length) + return EC_MemoryExhausted; presentationLength -= length; DCMNET_TRACE("Successfully parsed Abstract Syntax"); break; @@ -404,12 +406,16 @@ cond = LST_Enqueue(&context->transferSyntaxList, (LST_NODE*)subItem); if (cond.bad()) return cond; buf += length; + if (presentationLength < length) + return EC_MemoryExhausted; presentationLength -= length; DCMNET_TRACE("Successfully parsed Transfer Syntax"); break; default: cond = parseDummy(buf, &length, presentationLength); buf += length; + if (presentationLength < length) + return EC_MemoryExhausted; presentationLength -= length; break; }