From 7b920e1a4264c5a0c6d27f043f52d5575ca6cf03 Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Tue, 15 Dec 2020 16:55:55 +0000
Subject: [PATCH] SECURITY: Set correct Content-Type/Mime Type on
 /api/preferences

Prevents a Reflected Cross-Site scripting (XSS) vulnerability

Bug: T270195
---
 quarry/web/app.py | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/quarry/web/app.py b/quarry/web/app.py
index 13251eb..da36ad2 100644
--- a/quarry/web/app.py
+++ b/quarry/web/app.py
@@ -398,9 +398,17 @@ def pref_get(key):
         return "Authentication required", 401
 
     if key in get_preferences():
-        return Response(json.dumps({'key': key, 'value': get_preferences()[key]}))
+        return Response(
+            json.dumps({'key': key, 'value': get_preferences()[key]}),
+            mimetype='application/json',
+            content_type='application/json+; charset=utf-8'
+        )
     else:
-        return Response(json.dumps({'key': key, 'error': 'novalue'}))
+        return Response(
+            json.dumps({'key': key, 'error': 'novalue'}),
+            mimetype='application/json',
+            content_type='application/json+; charset=utf-8'
+        )
 
 
 @app.route("/api/preferences/set/<key>/<value>")
@@ -409,7 +417,11 @@ def pref_set(key, value):
         return "Authentication required", 401
 
     get_preferences()[key] = (None if value == 'null' else value)
-    return Response(json.dumps({'key': key, 'success': ''})), 201
+    return Response(
+        json.dumps({'key': key, 'success': ''}),
+        mimetype='application/json',
+        content_type='application/json+; charset=utf-8'
+    ), 201
 
 
 if __name__ == '__main__':
-- 
2.25.1