MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [security] rest client additional sanitisation for non json responses 

- escape non json response bodies
- as reported by Nils Putnins from NCIA NCSC
pull/9764/head
iglocska 2024-05-30 23:10:24 +02:00
parent 09a43870e7
commit f08a2eaec2
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Controller/Component/RestResponseComponent.php
View File

@ -648,6 +648,9 @@ class RestResponseComponent extends Component
} else {
$prettyPrint = !$this->isAutomaticTool(); // Do not pretty print response for automatic tools
$response = JsonTool::encode($response, $prettyPrint);
if ($format !== 'json') {
$response = h($response);
}
}
} else {
if ($dumpSql) {
@ -669,7 +672,6 @@ class RestResponseComponent extends Component
$tmpFile->writeWithSeparator($response, null);
$response = $tmpFile;
}
if ($response instanceof TmpFileTool) {
$requestEtag = $this->requestEtag();
if ($requestEtag !== null) {