Mercurial > hg > orthanc

changeset 3526:f07352e0375c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
new configuration option ExecuteLuaEnabled
author Sebastien Jodogne <s.jodogne@gmail.com>
date Thu, 26 Sep 2019 10:03:35 +0200
parents 8c66c9c2257b
children 40c80049fac7
files NEWS OrthancServer/OrthancRestApi/OrthancRestSystem.cpp OrthancServer/main.cpp Resources/Configuration.json
diffstat 4 files changed, 30 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Wed Sep 25 17:16:54 2019 +0200
+++ b/NEWS	Thu Sep 26 10:03:35 2019 +0200
@@ -5,11 +5,12 @@
 -----------
 
 * Security: If remote access is enabled, HTTP authentication is also enabled by default
+* Security: New configuration option "ExecuteLuaEnabled" to allow "/tools/execute-script"
 * Log an explicit error if uploading an empty DICOM file using REST API
 * Name of temporary files now include the process ID to ease design of scripts cleaning /tmp
 * Fix compatibility of LSB binaries with Ubuntu >= 18.04
 * Fix generation of "SOP Instance UID" on split and merge
-* Orthanc Explorer: include the url search params into HTTP headers to the Rest API to ease usage of the Authorization plugin
+* Orthanc Explorer: include the URL search params into HTTP headers to the REST API to ease usage of the Authorization plugin
   Note that only the 'token', 'auth-token' & 'authorization' search params are transmitted into HTTP headers.
 * in /ordered-slices route, ignore instances without position/normal/seriesIndex
 * Fix lost relationships between CT and RT-STRUCT during anonymization
--- a/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp	Wed Sep 25 17:16:54 2019 +0200
+++ b/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp	Thu Sep 26 10:03:35 2019 +0200
@@ -136,6 +136,19 @@
 
   static void ExecuteScript(RestApiPostCall& call)
   {
+    {
+      OrthancConfiguration::ReaderLock lock;
+
+      static const char* const OPTION = "ExecuteLuaEnabled";
+      if (!lock.GetConfiguration().GetBooleanParameter(OPTION, false))
+      {
+        LOG(ERROR) << "The URI /tools/execute-script is disallowed for security, "
+                   << "check value of configuration option \"" << OPTION << "\"";
+        call.GetOutput().SignalError(HttpStatus_403_Forbidden);
+        return;
+      }
+    }
+
     std::string result;
     ServerContext& context = OrthancRestApi::GetContext(call);
 
--- a/OrthancServer/main.cpp	Wed Sep 25 17:16:54 2019 +0200
+++ b/OrthancServer/main.cpp	Thu Sep 26 10:03:35 2019 +0200
@@ -516,6 +516,7 @@
     << "  --logfile=[file]\tfile where to store the log of Orthanc" << std::endl
     << "\t\t\t(by default, the log is dumped to stderr)" << std::endl
     << "  --config=[file]\tcreate a sample configuration file and exit" << std::endl
+    << "\t\t\t(if file is \"-\", dumps to stdout)" << std::endl
     << "  --errors\t\tprint the supported error codes and exit" << std::endl
     << "  --verbose\t\tbe verbose in logs" << std::endl
     << "  --trace\t\thighest verbosity in logs (for debug)" << std::endl
@@ -1436,7 +1437,15 @@
 
       try
       {
-        SystemToolbox::WriteFile(configurationSample, target);
+        if (target == "-")
+        {
+          // New in 1.5.8: Print to stdout
+          std::cout << configurationSample;
+        }
+        else
+        {
+          SystemToolbox::WriteFile(configurationSample, target);
+        }
         return 0;
       }
       catch (OrthancException&)
--- a/Resources/Configuration.json	Wed Sep 25 17:16:54 2019 +0200
+++ b/Resources/Configuration.json	Thu Sep 26 10:03:35 2019 +0200
@@ -507,5 +507,9 @@
   // set to "true", the metrics can be retrieved at
   // "/tools/metrics-prometheus" formetted using the Prometheus
   // text-based exposition format.
-  "MetricsEnabled" : true
+  "MetricsEnabled" : true,
+
+  // Whether calls to URI "/tools/execute-script" is enabled. Starting
+  // with Orthanc 1.5.8, this URI is disabled by default for security.
+  "ExecuteLuaEnabled" : false
 }