0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch
Reedy (Sam Reed)
Actions

Authored By

	Reedy
	Dec 15 2020, 5:05 PM

Size

1 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch
View Options

	From bb83dad383a5d3c8ce5c21d28b6522c42ebc1668 Mon Sep 17 00:00:00 2001
	From: Reedy <reedy@wikimedia.org>
	Date: Tue, 15 Dec 2020 16:55:55 +0000
	Subject: [PATCH] SECURITY: Set correct Content-Type/Mime Type on
	/api/preferences

	Prevents a Reflected Cross-Site scripting (XSS) vulnerability

	Bug: T270195
	---
	quarry/web/app.py \| 15 ++++++++++++---
	1 file changed, 12 insertions(+), 3 deletions(-)

	diff --git a/quarry/web/app.py b/quarry/web/app.py
	index 13251eb..845a60f 100644
	--- a/quarry/web/app.py
	+++ b/quarry/web/app.py
	@@ -398,9 +398,15 @@ def pref_get(key):
	return "Authentication required", 401

	if key in get_preferences():
	- return Response(json.dumps({'key': key, 'value': get_preferences()[key]}))
	+ return Response(
	+ json.dumps({'key': key, 'value': get_preferences()[key]}),
	+ mimetype='application/json'
	+ )
	else:
	- return Response(json.dumps({'key': key, 'error': 'novalue'}))
	+ return Response(
	+ json.dumps({'key': key, 'error': 'novalue'}),
	+ mimetype='application/json'
	+ )


	@app.route("/api/preferences/set/<key>/<value>")
	@@ -409,7 +415,10 @@ def pref_set(key, value):
	return "Authentication required", 401

	get_preferences()[key] = (None if value == 'null' else value)
	- return Response(json.dumps({'key': key, 'success': ''})), 201
	+ return Response(
	+ json.dumps({'key': key, 'success': ''}),
	+ mimetype='application/json'
	+ ), 201


	if __name__ == '__main__':
	--
	2.25.1

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 8802589
Default Alt Text: 0001-SECURITY-Set-correct-Content-Type-Mime-Type-on-api-p.patch (1 KB)