# HG changeset patch # User Sebastien Jodogne # Date 1569485015 -7200 # Node ID f07352e0375ca3fcd1b4ff974be6d7cc8f82f92c # Parent 8c66c9c2257b03392ad6c61f56dec8189ddb0713 new configuration option ExecuteLuaEnabled diff -r 8c66c9c2257b -r f07352e0375c NEWS --- a/NEWS Wed Sep 25 17:16:54 2019 +0200 +++ b/NEWS Thu Sep 26 10:03:35 2019 +0200 @@ -5,11 +5,12 @@ ----------- * Security: If remote access is enabled, HTTP authentication is also enabled by default +* Security: New configuration option "ExecuteLuaEnabled" to allow "/tools/execute-script" * Log an explicit error if uploading an empty DICOM file using REST API * Name of temporary files now include the process ID to ease design of scripts cleaning /tmp * Fix compatibility of LSB binaries with Ubuntu >= 18.04 * Fix generation of "SOP Instance UID" on split and merge -* Orthanc Explorer: include the url search params into HTTP headers to the Rest API to ease usage of the Authorization plugin +* Orthanc Explorer: include the URL search params into HTTP headers to the REST API to ease usage of the Authorization plugin Note that only the 'token', 'auth-token' & 'authorization' search params are transmitted into HTTP headers. * in /ordered-slices route, ignore instances without position/normal/seriesIndex * Fix lost relationships between CT and RT-STRUCT during anonymization diff -r 8c66c9c2257b -r f07352e0375c OrthancServer/OrthancRestApi/OrthancRestSystem.cpp --- a/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Wed Sep 25 17:16:54 2019 +0200 +++ b/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Thu Sep 26 10:03:35 2019 +0200 @@ -136,6 +136,19 @@ static void ExecuteScript(RestApiPostCall& call) { + { + OrthancConfiguration::ReaderLock lock; + + static const char* const OPTION = "ExecuteLuaEnabled"; + if (!lock.GetConfiguration().GetBooleanParameter(OPTION, false)) + { + LOG(ERROR) << "The URI /tools/execute-script is disallowed for security, " + << "check value of configuration option \"" << OPTION << "\""; + call.GetOutput().SignalError(HttpStatus_403_Forbidden); + return; + } + } + std::string result; ServerContext& context = OrthancRestApi::GetContext(call); diff -r 8c66c9c2257b -r f07352e0375c OrthancServer/main.cpp --- a/OrthancServer/main.cpp Wed Sep 25 17:16:54 2019 +0200 +++ b/OrthancServer/main.cpp Thu Sep 26 10:03:35 2019 +0200 @@ -516,6 +516,7 @@ << " --logfile=[file]\tfile where to store the log of Orthanc" << std::endl << "\t\t\t(by default, the log is dumped to stderr)" << std::endl << " --config=[file]\tcreate a sample configuration file and exit" << std::endl + << "\t\t\t(if file is \"-\", dumps to stdout)" << std::endl << " --errors\t\tprint the supported error codes and exit" << std::endl << " --verbose\t\tbe verbose in logs" << std::endl << " --trace\t\thighest verbosity in logs (for debug)" << std::endl @@ -1436,7 +1437,15 @@ try { - SystemToolbox::WriteFile(configurationSample, target); + if (target == "-") + { + // New in 1.5.8: Print to stdout + std::cout << configurationSample; + } + else + { + SystemToolbox::WriteFile(configurationSample, target); + } return 0; } catch (OrthancException&) diff -r 8c66c9c2257b -r f07352e0375c Resources/Configuration.json --- a/Resources/Configuration.json Wed Sep 25 17:16:54 2019 +0200 +++ b/Resources/Configuration.json Thu Sep 26 10:03:35 2019 +0200 @@ -507,5 +507,9 @@ // set to "true", the metrics can be retrieved at // "/tools/metrics-prometheus" formetted using the Prometheus // text-based exposition format. - "MetricsEnabled" : true + "MetricsEnabled" : true, + + // Whether calls to URI "/tools/execute-script" is enabled. Starting + // with Orthanc 1.5.8, this URI is disabled by default for security. + "ExecuteLuaEnabled" : false }