From d3c3aaa61f7598f275f30fabd3749379fe0f2720 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Tue, 31 Jul 2018 17:09:49 +0000 Subject: [PATCH] net/http: revert CL 89275 (don't sniff Content-Type when nosniff set) Also updates the bundled http2 to x/net/http2 git rev 49c15d80 for: http2: revert CL 107295 (don't sniff Content-type in Server when nosniff) https://golang.org/cl/126895 Fixes #24795 Change-Id: I6ae1a21c919947089274e816eb628d20490f83ce Reviewed-on: https://go-review.googlesource.com/126896 Reviewed-by: Damien Neil --- doc/go1.11.html | 5 +---- src/net/http/h2_bundle.go | 10 +--------- src/net/http/serve_test.go | 20 -------------------- src/net/http/server.go | 10 +--------- 4 files changed, 3 insertions(+), 42 deletions(-) diff --git a/doc/go1.11.html b/doc/go1.11.html index 7e9512f5872..3fa69c4d17f 100644 --- a/doc/go1.11.html +++ b/doc/go1.11.html @@ -677,10 +677,7 @@ for k := range m { methods will return errors after a shutdown or close.

-

- The HTTP server will no longer automatically set the Content-Type if a - Handler sets the "X-Content-Type-Options" header to "nosniff". -

+

The constant StatusMisdirectedRequest is now defined for HTTP status code 421. diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go index 463254d96c4..12cf65f109c 100644 --- a/src/net/http/h2_bundle.go +++ b/src/net/http/h2_bundle.go @@ -6135,15 +6135,7 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) { } _, hasContentType := rws.snapHeader["Content-Type"] if !hasContentType && http2bodyAllowedForStatus(rws.status) && len(p) > 0 { - if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) { - // nosniff is an explicit directive not to guess a content-type. - // Content-sniffing is no less susceptible to polyglot attacks via - // hosted content when done on the server. - ctype = "application/octet-stream" - rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type") - } else { - ctype = DetectContentType(p) - } + ctype = DetectContentType(p) } var date string if _, ok := rws.snapHeader["Date"]; !ok { diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go index b53c2f856bc..a4385419d04 100644 --- a/src/net/http/serve_test.go +++ b/src/net/http/serve_test.go @@ -3585,26 +3585,6 @@ func TestHeaderToWire(t *testing.T) { return nil }, }, - { - name: "Nosniff without Content-type", - handler: func(rw ResponseWriter, r *Request) { - rw.Header().Set("X-Content-Type-Options", "nosniff") - rw.WriteHeader(200) - rw.Write([]byte("\nsome html")) - }, - check: func(got, logs string) error { - if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") { - return errors.New("Output should have an innocuous content-type") - } - if strings.Contains(got, "text/html") { - return errors.New("Output should not have a guess") - } - if !strings.Contains(logs, "X-Content-Type-Options:nosniff but no Content-Type") { - return errors.New("Expected log message") - } - return nil - }, - }, } for _, tc := range tests { ht := newHandlerTest(HandlerFunc(tc.handler)) diff --git a/src/net/http/server.go b/src/net/http/server.go index f501a65d0ab..c24ad750f21 100644 --- a/src/net/http/server.go +++ b/src/net/http/server.go @@ -1360,15 +1360,7 @@ func (cw *chunkWriter) writeHeader(p []byte) { // If no content type, apply sniffing algorithm to body. _, haveType := header["Content-Type"] if !haveType && !hasTE && len(p) > 0 { - if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) { - // nosniff is an explicit directive not to guess a content-type. - // Content-sniffing is no less susceptible to polyglot attacks via - // hosted content when done on the server. - setHeader.contentType = "application/octet-stream" - w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type") - } else { - setHeader.contentType = DetectContentType(p) - } + setHeader.contentType = DetectContentType(p) } } else { for _, k := range suppressedHeaders(code) {