Page MenuHomePhabricator
Files F33946416

0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch
Reedy (Sam Reed)
Actions

Authored By
Reedy
Dec 15 2020, 4:56 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch
View Options

From 7b920e1a4264c5a0c6d27f043f52d5575ca6cf03 Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Tue, 15 Dec 2020 16:55:55 +0000
Subject: [PATCH] SECURITY: Set correct Content-Type/Mime Type on
/api/preferences
Prevents a Reflected Cross-Site scripting (XSS) vulnerability
Bug: T270195
---
quarry/web/app.py | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/quarry/web/app.py b/quarry/web/app.py
index 13251eb..da36ad2 100644
--- a/quarry/web/app.py
+++ b/quarry/web/app.py
@@ -398,9 +398,17 @@ def pref_get(key):
return "Authentication required", 401
if key in get_preferences():
- return Response(json.dumps({'key': key, 'value': get_preferences()[key]}))
+ return Response(
+ json.dumps({'key': key, 'value': get_preferences()[key]}),
+ mimetype='application/json',
+ content_type='application/json+; charset=utf-8'
+ )
else:
- return Response(json.dumps({'key': key, 'error': 'novalue'}))
+ return Response(
+ json.dumps({'key': key, 'error': 'novalue'}),
+ mimetype='application/json',
+ content_type='application/json+; charset=utf-8'
+ )
@app.route("/api/preferences/set/<key>/<value>")
@@ -409,7 +417,11 @@ def pref_set(key, value):
return "Authentication required", 401
get_preferences()[key] = (None if value == 'null' else value)
- return Response(json.dumps({'key': key, 'success': ''})), 201
+ return Response(
+ json.dumps({'key': key, 'success': ''}),
+ mimetype='application/json',
+ content_type='application/json+; charset=utf-8'
+ ), 201
if __name__ == '__main__':
--
2.25.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8802585
Default Alt Text
0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL