Mercurial > p > roundup > code
changeset 7159:765222ef4cec
- issue2551257: add 'X-Content-Type-Options: nosniff' header for file download
when downloading an attached (user supplied file), make sure that an
'X-Content-Type-Options: nosniff' header is sent.
Added test for header as well.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 16:20:32 -0500 |
| parents | 89f84f0d7cd3 |
| children | ed63b6d35838 |
| files | CHANGES.txt roundup/cgi/client.py test/test_liveserver.py |
| diffstat | 3 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Thu Feb 23 16:02:51 2023 -0500 +++ b/CHANGES.txt Thu Feb 23 16:20:32 2023 -0500 @@ -70,6 +70,8 @@ security issue with rest when using '*'. - issue2551263: In REST response expose rate limiting, sunset, allow HTTP headers to calling javascript. +- issue2551257: When downloading an attached (user supplied file), + make sure that an 'X-Content-Type-Options: nosniff' header is sent. Features:
--- a/roundup/cgi/client.py Thu Feb 23 16:02:51 2023 -0500 +++ b/roundup/cgi/client.py Thu Feb 23 16:20:32 2023 -0500 @@ -846,7 +846,7 @@ # exception handlers. self.determine_language() self.db.i18n = self.translator - + self.setHeader("X-Content-Type-Options", "nosniff") self.serve_file(designator) except SendStaticFile as file: self.serve_static_file(str(file))
--- a/test/test_liveserver.py Thu Feb 23 16:02:51 2023 -0500 +++ b/test/test_liveserver.py Thu Feb 23 16:20:32 2023 -0500 @@ -1197,6 +1197,7 @@ # download file and verify content f = session.get(self.url_base()+'/file%(file)s/text1.txt'%m.groupdict()) self.assertEqual(f.text, file_content) + self.assertEqual(f.headers["X-Content-Type-Options"], "nosniff") print(f.text) def test_new_file_via_rest(self):