Fix Content-Type mismatch — plain text error responses served as text/html in asfquart #56
Description
Referenced from apache/tooling-trusted-releases#713
ASVS Requirement: 4.1.1 — Verify that every HTTP response with a message body contains a Content-Type header field that matches the actual content, including the charset parameter
Severity: Low
CWE: CWE-838 (Inappropriate Encoding for Output Context)
Description
Multiple HTTP error and status responses in the asfquart framework return plain text strings but rely on Quart's default Content-Type of text/html; charset=utf-8. This violates ASVS 4.1.1 because the Content-Type does not match the actual content.
Affected Locations
src/asfquart/generics.py — OAuth error and logout responses:
return quart.Response(
status=403,
response="Invalid or expired OAuth state provided.\n",
)
return quart.Response(
status=200,
response="Client session removed, goodbye!\n",
)src/asfquart/base.py — Exception handler:
return quart.Response(status=error.errorcode, response=error.message)src/asfquart/utils.py — Request size limit error:
return quart.Response(
status=413,
response="Request content length exceeds limit!",
)Impact
- Browsers receiving
text/htmlwill attempt to parse the plain text body as HTML, which could amplify injection risks if error messages ever include user-controlled input. - This is a defense-in-depth concern — even if current error messages are static, the pattern is unsafe if extended.
Recommended Fix
Explicitly set content_type="text/plain; charset=utf-8" on all plain text responses:
return quart.Response(
status=403,
response="Invalid or expired OAuth state provided.\n",
content_type="text/plain; charset=utf-8"
)Note: Since asfquart is a shared framework library (in infrastructure-asfquart), this fix benefits all downstream applications, not just ATR.