github-mirror/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-11-26 02:09:47 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fileserver: Reject non-GET/HEAD requests (close #5166) (#5167)

Browse Source 
* fileserver: Reject non-GET/HEAD requests (close #5166)

* Set Allow header according to RFC 9110 10.2.1
This commit is contained in:
Matt Holt 2022-10-24 10:23:57 -06:00 committed by GitHub
parent 4bf6cb4199
commit a3ae146cbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/caddyhttp/fileserver/staticfiles.go
View File

@ -410,6 +410,14 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
etag = calculateEtag(info)
}
// at this point, we're serving a file; Go std lib supports only
// GET and HEAD, which is sensible for a static file server - reject
// any other methods (see issue #5166)
if r.Method != http.MethodGet && r.Method != http.MethodHead {
w.Header().Add("Allow", "GET, HEAD")
return caddyhttp.Error(http.StatusMethodNotAllowed, nil)
}
// set the Etag - note that a conditional If-None-Match request is handled
// by http.ServeContent below, which checks against this Etag value
w.Header().Set("Etag", etag)