1
0
mirror of https://github.com/golang/go synced 2024-11-23 05:20:11 -07:00

net/http: revert CL 89275 (don't sniff Content-Type when nosniff set)

Also updates the bundled http2 to x/net/http2 git rev 49c15d80 for:

   http2: revert CL 107295 (don't sniff Content-type in Server when nosniff)
   https://golang.org/cl/126895

Fixes #24795

Change-Id: I6ae1a21c919947089274e816eb628d20490f83ce
Reviewed-on: https://go-review.googlesource.com/126896
Reviewed-by: Damien Neil <dneil@google.com>
This commit is contained in:
Brad Fitzpatrick 2018-07-31 17:09:49 +00:00
parent 9e2a4f4dff
commit d3c3aaa61f
4 changed files with 3 additions and 42 deletions

View File

@ -677,10 +677,7 @@ for k := range m {
methods will return errors after a shutdown or close.
</p>
<p><!-- CL 89275 -->
The HTTP server will no longer automatically set the Content-Type if a
<code>Handler</code> sets the "<code>X-Content-Type-Options</code>" header to "<code>nosniff</code>".
</p>
<!-- CL 89275 was reverted before Go 1.11 -->
<p><!-- CL 93296 -->
The constant <code>StatusMisdirectedRequest</code> is now defined for HTTP status code 421.

View File

@ -6135,16 +6135,8 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) {
}
_, hasContentType := rws.snapHeader["Content-Type"]
if !hasContentType && http2bodyAllowedForStatus(rws.status) && len(p) > 0 {
if cto := rws.snapHeader.Get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
// nosniff is an explicit directive not to guess a content-type.
// Content-sniffing is no less susceptible to polyglot attacks via
// hosted content when done on the server.
ctype = "application/octet-stream"
rws.conn.logf("http2: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
} else {
ctype = DetectContentType(p)
}
}
var date string
if _, ok := rws.snapHeader["Date"]; !ok {
// TODO(bradfitz): be faster here, like net/http? measure.

View File

@ -3585,26 +3585,6 @@ func TestHeaderToWire(t *testing.T) {
return nil
},
},
{
name: "Nosniff without Content-type",
handler: func(rw ResponseWriter, r *Request) {
rw.Header().Set("X-Content-Type-Options", "nosniff")
rw.WriteHeader(200)
rw.Write([]byte("<!doctype html>\n<html><head></head><body>some html</body></html>"))
},
check: func(got, logs string) error {
if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") {
return errors.New("Output should have an innocuous content-type")
}
if strings.Contains(got, "text/html") {
return errors.New("Output should not have a guess")
}
if !strings.Contains(logs, "X-Content-Type-Options:nosniff but no Content-Type") {
return errors.New("Expected log message")
}
return nil
},
},
}
for _, tc := range tests {
ht := newHandlerTest(HandlerFunc(tc.handler))

View File

@ -1360,16 +1360,8 @@ func (cw *chunkWriter) writeHeader(p []byte) {
// If no content type, apply sniffing algorithm to body.
_, haveType := header["Content-Type"]
if !haveType && !hasTE && len(p) > 0 {
if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
// nosniff is an explicit directive not to guess a content-type.
// Content-sniffing is no less susceptible to polyglot attacks via
// hosted content when done on the server.
setHeader.contentType = "application/octet-stream"
w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
} else {
setHeader.contentType = DetectContentType(p)
}
}
} else {
for _, k := range suppressedHeaders(code) {
delHeader(k)