[I] Fix Content-Type mismatch — plain text error responses served as text/html in asfquart (tooling-trusted-releases)

Wed, 18 Feb 2026 14:27:01 -0800 


andrewmusselman opened a new issue, #713:
URL: https://github.com/apache/tooling-trusted-releases/issues/713

   **ASVS Requirement:** 4.1.1 — Verify that every HTTP response with a message 
body contains a Content-Type header field that matches the actual content, 
including the charset parameter
   **Severity:** Low
   **CWE:** CWE-838 (Inappropriate Encoding for Output Context)
   
   ### Description
   
   Multiple HTTP error and status responses in the `asfquart` framework return 
plain text strings but rely on Quart's default Content-Type of `text/html; 
charset=utf-8`. This violates ASVS 4.1.1 because the Content-Type does not 
match the actual content.
   
   ### Affected Locations
   
   **`src/asfquart/generics.py`** — OAuth error and logout responses:
   ```python
   return quart.Response(
       status=403,
       response="Invalid or expired OAuth state provided.\n",
   )
   
   return quart.Response(
       status=200,
       response="Client session removed, goodbye!\n",
   )
   ```
   
   **`src/asfquart/base.py`** — Exception handler:
   ```python
   return quart.Response(status=error.errorcode, response=error.message)
   ```
   
   **`src/asfquart/utils.py`** — Request size limit error:
   ```python
   return quart.Response(
       status=413,
       response="Request content length exceeds limit!",
   )
   ```
   
   ### Impact
   
   - Browsers receiving `text/html` will attempt to parse the plain text body 
as HTML, which could amplify injection risks if error messages ever include 
user-controlled input.
   - This is a defense-in-depth concern — even if current error messages are 
static, the pattern is unsafe if extended.
   
   ### Recommended Fix
   
   Explicitly set `content_type="text/plain; charset=utf-8"` on all plain text 
responses:
   
   ```python
   return quart.Response(
       status=403,
       response="Invalid or expired OAuth state provided.\n",
       content_type="text/plain; charset=utf-8"
   )
   ```
   
   **Note:** Since `asfquart` is a shared framework library (in 
`infrastructure-asfquart`), this fix benefits all downstream applications, not 
just ATR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to