changeset 5462:505416b269a0

Fix XSS in Orthanc error reporting (as reported by S├ębastien Doria, Vumetric Cybersecurity)
author Alain Mazy <am@osimis.io>
date Tue, 12 Dec 2023 10:13:49 +0100
parents 67dc2567ea6f
children 8f1a0ba5c759
files NEWS OrthancFramework/Sources/HttpServer/HttpOutput.cpp
diffstat 2 files changed, 14 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Mon Dec 11 16:18:57 2023 +0100
+++ b/NEWS	Tue Dec 12 10:13:49 2023 +0100
@@ -91,6 +91,9 @@
 * Upgraded minizip library to stay away from CVE-2023-45853 although Orthanc is likely not affected since zip
   filenames are based on DICOM Tag values whose length is limited in size.
   Great thanks to James Addison for notifying us about the vulnerability and patch to apply !
+* Fix XSS in Orthanc error reporting (as reported by S├ębastien Doria, Vumetric Cybersecurity) by:
+  - always including a 'Content-Type' header in HTTP responses with a body.
+  - always including 'X-Content-Type-Options: nosniff'
 
 
 Version 1.12.1 (2023-07-04)
--- a/OrthancFramework/Sources/HttpServer/HttpOutput.cpp	Mon Dec 11 16:18:57 2023 +0100
+++ b/OrthancFramework/Sources/HttpServer/HttpOutput.cpp	Tue Dec 12 10:13:49 2023 +0100
@@ -318,6 +318,8 @@
     isDeflateAllowed_(false),
     isGzipAllowed_(false)
   {
+    // prevent MIME Confusion attacks: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
+    stateMachine_.AddHeader("X-Content-Type-Options", "nosniff");
   }
 
   void HttpOutput::SetDeflateAllowed(bool allowed)
@@ -351,8 +353,8 @@
 
 
   void HttpOutput::SendStatus(HttpStatus status,
-			      const char* message,
-			      size_t messageSize)
+                              const char* message,
+                              size_t messageSize)
   {
     if (status == HttpStatus_301_MovedPermanently ||
         //status == HttpStatus_401_Unauthorized ||
@@ -363,6 +365,13 @@
     }
     
     stateMachine_.SetHttpStatus(status);
+
+    if (messageSize > 0)
+    {
+      // we assume that the body always contains a json description of the error
+      stateMachine_.SetContentType("application/json");
+    }
+
     stateMachine_.SendBody(message, messageSize);
   }