Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Set correct Mime Type on /api/preferences
Prevents a Reflected Cross-Site scripting (XSS) vulnerability

Bug: T270195
Change-Id: I04bf53d2a939da369e54e91899615a3ffc3e5caf
  • Loading branch information
reedy committed Dec 15, 2020
1 parent 085a51b commit 4b7e1d6
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions quarry/web/app.py
Expand Up @@ -398,9 +398,15 @@ def pref_get(key):
return "Authentication required", 401

if key in get_preferences():
return Response(json.dumps({'key': key, 'value': get_preferences()[key]}))
return Response(
json.dumps({'key': key, 'value': get_preferences()[key]}),
mimetype='application/json'
)
else:
return Response(json.dumps({'key': key, 'error': 'novalue'}))
return Response(
json.dumps({'key': key, 'error': 'novalue'}),
mimetype='application/json'
)


@app.route("/api/preferences/set/<key>/<value>")
Expand All @@ -409,7 +415,10 @@ def pref_set(key, value):
return "Authentication required", 401

get_preferences()[key] = (None if value == 'null' else value)
return Response(json.dumps({'key': key, 'success': ''})), 201
return Response(
json.dumps({'key': key, 'success': ''}),
mimetype='application/json'
), 201


if __name__ == '__main__':
Expand Down

0 comments on commit 4b7e1d6

Please sign in to comment.