Comments (5)
Hm, how are SOP Instance UIDs in practice different from UUIDs? I may not understand the problem... do you think somebody will write a file path in the UID so the file will be saved in a sensible location, or something like that?
from pydicom.
Keep in mind I have very little knowledge of this, but you can do:
- Set the SOP Instance UID maliciously (
ds.SOPInstanceUID = "/home/user/test.dcm"
) - ???
- Profit - in my case, when I call
FileSet.add(ds)
I get thetest.dcm
file escaping the temporary directory and writing itself to my home directory.
When pydicom is setting the filenames using a random value, this is mitigated.
from pydicom.
from pydicom import dcmread
from pydicom.data import get_testdata_file
from pydicom.fileset import FileSet
fs = FileSet()
ds = dcmread(get_testdata_file("CT_small.dcm"))
ds.SOPInstanceUID = "/home/[user]/freeeeee.dcm"
fs.add(ds)
If you had a root level script running this could potentially be bad.
from pydicom.
Yeah ok, I guessed that you meant something like that. I'm also not an expert in security related stuff, so...
I think you are right and it makes sense to change this.
from pydicom.
I agree about it being a potential security issue, and am fine with the proposal, but thought of a possible alternative: what about just confirming UID is in fact a valid UID? Or more generally, confirm it has only digits and dots (and perhaps no ".." just to be extra safe).
However, this proposal does guarantee no conflicting values, and no security risk at all, so if it can work without too much added complexity, I'm good with that.
from pydicom.
Related Issues (20)
- FileSet.__str__ add `SeriesDescription` if present
- Documentation search is broken. HOT 2
- Unexpected result from encapsulate_extended if non-even length frame
- convert_color_space should return copy of array HOT 4
- RGB dicoms "AttributeError: can't set attribute" after upgrading pillow to 10.1.0 HOT 1
- Change Python formatting: black → ruff
- Intermittent test failures HOT 2
- Comparing two codes where one is erroneously set as a SRT will throw KeyError
- Add support for encoding JPEG2000 and JPEG-LS
- ValueError: cannot reshape array of size HOT 13
- GDCM fails to decode JPEG-LS pixel data with bits stored 6 or 7 HOT 1
- Decoding failure for JPEG-LS pixel data when pixel representation is 1 and bits stored is less than bits allocated
- Decoding failure for JPEG-LS when Bits Allocated is 16 and Bit Stored <= 8 HOT 1
- The (0028,0101) 'Bits Stored' value (16-bit) doesn't match the JPEG 2000 data (14-bit) HOT 3
- Compressing PixelData does not change the VR from OW to OB HOT 1
- dicom saved can't match the plt.show HOT 1
- can pydicom realize dicom image registration HOT 1
- Return sequence items as a list? HOT 3
- Dataset decompress function does not update length of the pixel data HOT 2
- deepcopy on dataset with private block fails HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pydicom.