Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F33946416
0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch
Reedy (Sam Reed)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Reedy
Dec 15 2020, 4:56 PM
2020-12-15 16:56:36 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch
View Options
From 7b920e1a4264c5a0c6d27f043f52d5575ca6cf03 Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Tue, 15 Dec 2020 16:55:55 +0000
Subject: [PATCH] SECURITY: Set correct Content-Type/Mime Type on
/api/preferences
Prevents a Reflected Cross-Site scripting (XSS) vulnerability
Bug: T270195
---
quarry/web/app.py | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/quarry/web/app.py b/quarry/web/app.py
index 13251eb..da36ad2 100644
--- a/quarry/web/app.py
+++ b/quarry/web/app.py
@@ -398,9 +398,17 @@ def pref_get(key):
return "Authentication required", 401
if key in get_preferences():
- return Response(json.dumps({'key': key, 'value': get_preferences()[key]}))
+ return Response(
+ json.dumps({'key': key, 'value': get_preferences()[key]}),
+ mimetype='application/json',
+ content_type='application/json+; charset=utf-8'
+ )
else:
- return Response(json.dumps({'key': key, 'error': 'novalue'}))
+ return Response(
+ json.dumps({'key': key, 'error': 'novalue'}),
+ mimetype='application/json',
+ content_type='application/json+; charset=utf-8'
+ )
@app.route("/api/preferences/set/<key>/<value>")
@@ -409,7 +417,11 @@ def pref_set(key, value):
return "Authentication required", 401
get_preferences()[key] = (None if value == 'null' else value)
- return Response(json.dumps({'key': key, 'success': ''})), 201
+ return Response(
+ json.dumps({'key': key, 'success': ''}),
+ mimetype='application/json',
+ content_type='application/json+; charset=utf-8'
+ ), 201
if __name__ == '__main__':
--
2.25.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8802585
Default Alt Text
0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch (1 KB)
Attached To
Mode
T270195: Reflected Cross-Site scripting (XSS) vulnerability in analytics-quarry-web
Attached
Detach File
Event Timeline
Log In to Comment