# HG changeset patch # User Alain Mazy # Date 1702478673 -3600 # Node ID 2829889bfa577927f6dc59ff8070e05a0ac878d9 # Parent 38f1d06875ad0e233a07b6332e4c4721ae985907# Parent 8f1a0ba5c7596f69d35e3c09ba520c37fc783865 merge mainline -> pg-transactions diff -r 38f1d06875ad -r 2829889bfa57 NEWS --- a/NEWS Tue Dec 12 17:20:10 2023 +0100 +++ b/NEWS Wed Dec 13 15:44:33 2023 +0100 @@ -91,6 +91,9 @@ * Upgraded minizip library to stay away from CVE-2023-45853 although Orthanc is likely not affected since zip filenames are based on DICOM Tag values whose length is limited in size. Great thanks to James Addison for notifying us about the vulnerability and patch to apply ! +* Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity) by: + - always including a 'Content-Type' header in HTTP responses with a body. + - always including 'X-Content-Type-Options: nosniff' Version 1.12.1 (2023-07-04) diff -r 38f1d06875ad -r 2829889bfa57 OrthancFramework/Sources/Cache/MemoryStringCache.h --- a/OrthancFramework/Sources/Cache/MemoryStringCache.h Tue Dec 12 17:20:10 2023 +0100 +++ b/OrthancFramework/Sources/Cache/MemoryStringCache.h Wed Dec 13 15:44:33 2023 +0100 @@ -59,7 +59,7 @@ public: - Accessor(MemoryStringCache& cache); + explicit Accessor(MemoryStringCache& cache); ~Accessor(); bool Fetch(std::string& value, const std::string& key); diff -r 38f1d06875ad -r 2829889bfa57 OrthancFramework/Sources/FileStorage/StorageCache.h --- a/OrthancFramework/Sources/FileStorage/StorageCache.h Tue Dec 12 17:20:10 2023 +0100 +++ b/OrthancFramework/Sources/FileStorage/StorageCache.h Wed Dec 13 15:44:33 2023 +0100 @@ -48,7 +48,7 @@ { StorageCache& storageCache_; public: - Accessor(StorageCache& cache); + explicit Accessor(StorageCache& cache); void Add(const std::string& uuid, FileContentType contentType, diff -r 38f1d06875ad -r 2829889bfa57 OrthancFramework/Sources/HttpServer/HttpOutput.cpp --- a/OrthancFramework/Sources/HttpServer/HttpOutput.cpp Tue Dec 12 17:20:10 2023 +0100 +++ b/OrthancFramework/Sources/HttpServer/HttpOutput.cpp Wed Dec 13 15:44:33 2023 +0100 @@ -178,6 +178,9 @@ if (state_ == State_WritingHeader) { + // always include this header to prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options + AddHeader("X-Content-Type-Options", "nosniff"); + // Send the HTTP header before writing the body stream_.OnHttpStatusReceived(status_); @@ -351,8 +354,8 @@ void HttpOutput::SendStatus(HttpStatus status, - const char* message, - size_t messageSize) + const char* message, + size_t messageSize) { if (status == HttpStatus_301_MovedPermanently || //status == HttpStatus_401_Unauthorized || @@ -363,6 +366,13 @@ } stateMachine_.SetHttpStatus(status); + + if (messageSize > 0) + { + // we assume that the body always contains a json description of the error + stateMachine_.SetContentType("application/json"); + } + stateMachine_.SendBody(message, messageSize); } diff -r 38f1d06875ad -r 2829889bfa57 OrthancFramework/Sources/Logging.cpp --- a/OrthancFramework/Sources/Logging.cpp Tue Dec 12 17:20:10 2023 +0100 +++ b/OrthancFramework/Sources/Logging.cpp Wed Dec 13 15:44:33 2023 +0100 @@ -27,7 +27,6 @@ #include "OrthancException.h" #include -#include /********************************************************* @@ -473,6 +472,7 @@ * mimics behavior from Google Log. *********************************************************/ +#include #include namespace diff -r 38f1d06875ad -r 2829889bfa57 OrthancServer/Sources/LuaScripting.cpp --- a/OrthancServer/Sources/LuaScripting.cpp Tue Dec 12 17:20:10 2023 +0100 +++ b/OrthancServer/Sources/LuaScripting.cpp Wed Dec 13 15:44:33 2023 +0100 @@ -245,7 +245,7 @@ JobEvent event_; public: - LuaJobEvent(const JobEvent& event) : + explicit LuaJobEvent(const JobEvent& event) : event_(event) { } diff -r 38f1d06875ad -r 2829889bfa57 OrthancServer/Sources/Search/ISqlLookupFormatter.cpp --- a/OrthancServer/Sources/Search/ISqlLookupFormatter.cpp Tue Dec 12 17:20:10 2023 +0100 +++ b/OrthancServer/Sources/Search/ISqlLookupFormatter.cpp Wed Dec 13 15:44:33 2023 +0100 @@ -664,7 +664,6 @@ if (mainDicomTagsComparisons.size() > 0) { - std::string comparisons; for (std::vector::const_iterator it = mainDicomTagsComparisons.begin(); it < mainDicomTagsComparisons.end(); ++it) { sql += (" AND internalId IN (SELECT id FROM MainDicomTags WHERE " + *it + ") ");