Mercurial > hg > orthanc
changeset 3535:41365091a41e
display a security warning in the logs at startup when ExecuteLuaEnabled is true
| author | Alain Mazy <alain@mazy.be> |
|---|---|
| date | Sun, 06 Oct 2019 09:52:57 +0200 |
| parents | cac8ffcb9cef |
| children | 8be5451f6820 |
| files | OrthancServer/OrthancConfiguration.cpp OrthancServer/OrthancConfiguration.h OrthancServer/OrthancRestApi/OrthancRestSystem.cpp OrthancServer/ServerContext.cpp OrthancServer/ServerContext.h OrthancServer/main.cpp |
| diffstat | 6 files changed, 39 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/OrthancServer/OrthancConfiguration.cpp Fri Oct 04 19:16:12 2019 +0200 +++ b/OrthancServer/OrthancConfiguration.cpp Sun Oct 06 09:52:57 2019 +0200 @@ -656,6 +656,11 @@ } + bool OrthancConfiguration::IsExecuteLuaEnabled() const + { + return GetBooleanParameter("ExecuteLuaEnabled", false); + } + std::string OrthancConfiguration::InterpretStringParameterAsPath( const std::string& parameter) const {
--- a/OrthancServer/OrthancConfiguration.h Fri Oct 04 19:16:12 2019 +0200 +++ b/OrthancServer/OrthancConfiguration.h Sun Oct 06 09:52:57 2019 +0200 @@ -231,5 +231,7 @@ void ResetServerIndex(); TemporaryFile* CreateTemporaryFile() const; + + bool IsExecuteLuaEnabled() const; }; }
--- a/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Fri Oct 04 19:16:12 2019 +0200 +++ b/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Sun Oct 06 09:52:57 2019 +0200 @@ -139,22 +139,17 @@ static void ExecuteScript(RestApiPostCall& call) { - { - OrthancConfiguration::ReaderLock lock; + ServerContext& context = OrthancRestApi::GetContext(call); - static const char* const OPTION = "ExecuteLuaEnabled"; - if (!lock.GetConfiguration().GetBooleanParameter(OPTION, false)) - { - LOG(ERROR) << "The URI /tools/execute-script is disallowed for security, " - << "check value of configuration option \"" << OPTION << "\""; - call.GetOutput().SignalError(HttpStatus_403_Forbidden); - return; - } + if (!context.IsExecuteLuaEnabled()) + { + LOG(ERROR) << "The URI /tools/execute-script is disallowed for security, " + << "check your configuration file"; + call.GetOutput().SignalError(HttpStatus_403_Forbidden); + return; } std::string result; - ServerContext& context = OrthancRestApi::GetContext(call); - std::string command; call.BodyToString(command);
--- a/OrthancServer/ServerContext.cpp Fri Oct 04 19:16:12 2019 +0200 +++ b/OrthancServer/ServerContext.cpp Sun Oct 06 09:52:57 2019 +0200 @@ -240,7 +240,8 @@ haveJobsChanged_(false), isJobsEngineUnserialized_(false), metricsRegistry_(new MetricsRegistry), - isHttpServerSecure_(true) + isHttpServerSecure_(true), + isExecuteLuaEnabled_(false) { { OrthancConfiguration::ReaderLock lock;
--- a/OrthancServer/ServerContext.h Fri Oct 04 19:16:12 2019 +0200 +++ b/OrthancServer/ServerContext.h Sun Oct 06 09:52:57 2019 +0200 @@ -221,6 +221,7 @@ std::auto_ptr<MetricsRegistry> metricsRegistry_; bool isHttpServerSecure_; + bool isExecuteLuaEnabled_; public: class DicomCacheLocker : public boost::noncopyable @@ -413,5 +414,15 @@ { return isHttpServerSecure_; } + + void SetExecuteLuaEnabled(bool enabled) + { + isExecuteLuaEnabled_ = enabled; + } + + bool IsExecuteLuaEnabled() const + { + return isExecuteLuaEnabled_; + } }; }
--- a/OrthancServer/main.cpp Fri Oct 04 19:16:12 2019 +0200 +++ b/OrthancServer/main.cpp Sun Oct 06 09:52:57 2019 +0200 @@ -898,6 +898,18 @@ { httpServer.SetSslEnabled(false); } + + if (lock.GetConfiguration().GetBooleanParameter("ExecuteLuaEnabled", false)) + { + context.SetExecuteLuaEnabled(true); + LOG(WARNING) << "====> Remote LUA script execution is enabled. Review your configuration option \"ExecuteLuaEnabled\". " + << "Your setup is POSSIBLY INSECURE <===="; + } + else + { + context.SetExecuteLuaEnabled(false); + LOG(WARNING) << "Remote LUA script execution is disabled"; + } } MyHttpExceptionFormatter exceptionFormatter(httpDescribeErrors, plugins);