# HG changeset patch # User Alain Mazy # Date 1702372429 -3600 # Node ID 505416b269a0db667de624c8fffed45e5e2b0567 # Parent 67dc2567ea6fe71fdfa842fd7978b09892e34f6f Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity) diff -r 67dc2567ea6f -r 505416b269a0 NEWS --- a/NEWS Mon Dec 11 16:18:57 2023 +0100 +++ b/NEWS Tue Dec 12 10:13:49 2023 +0100 @@ -91,6 +91,9 @@ * Upgraded minizip library to stay away from CVE-2023-45853 although Orthanc is likely not affected since zip filenames are based on DICOM Tag values whose length is limited in size. Great thanks to James Addison for notifying us about the vulnerability and patch to apply ! +* Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity) by: + - always including a 'Content-Type' header in HTTP responses with a body. + - always including 'X-Content-Type-Options: nosniff' Version 1.12.1 (2023-07-04) diff -r 67dc2567ea6f -r 505416b269a0 OrthancFramework/Sources/HttpServer/HttpOutput.cpp --- a/OrthancFramework/Sources/HttpServer/HttpOutput.cpp Mon Dec 11 16:18:57 2023 +0100 +++ b/OrthancFramework/Sources/HttpServer/HttpOutput.cpp Tue Dec 12 10:13:49 2023 +0100 @@ -318,6 +318,8 @@ isDeflateAllowed_(false), isGzipAllowed_(false) { + // prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options + stateMachine_.AddHeader("X-Content-Type-Options", "nosniff"); } void HttpOutput::SetDeflateAllowed(bool allowed) @@ -351,8 +353,8 @@ void HttpOutput::SendStatus(HttpStatus status, - const char* message, - size_t messageSize) + const char* message, + size_t messageSize) { if (status == HttpStatus_301_MovedPermanently || //status == HttpStatus_401_Unauthorized || @@ -363,6 +365,13 @@ } stateMachine_.SetHttpStatus(status); + + if (messageSize > 0) + { + // we assume that the body always contains a json description of the error + stateMachine_.SetContentType("application/json"); + } + stateMachine_.SendBody(message, messageSize); }