cybercyst/go
1
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-05-29 19:35:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

net/http: don't sniff Content-type in Server when X-Content-Type-Options:nosniff

Browse Source 
The docs for ResponseWriter.Write say
// If the Header
// does not contain a Content-Type line, Write adds a Content-Type set
// to the result of passing the initial 512 bytes of written data to
// DetectContentType.

The header X-Content-Type-Options:nosniff is an explicit directive that
content-type should not be sniffed.

This changes the behavior of Response.WriteHeader so that, when
there is an X-Content-Type-Options:nosniff header, but there is
no Content-type header, the following happens:
1.  A Content-type:application/octet-stream is added
2.  A warning is logged via the server's logging mechanism.

Previously, a content-type would have been silently added based on
heuristic analysis of the first 512B which might allow a hosted
GIF like http://www.thinkfu.com/blog/gifjavascript-polyglots to be
categorized as JavaScript which might allow a CSP bypass, loading
as a script despite `Content-Security-Policy: script-src 'self' `.

----

https://fetch.spec.whatwg.org/#x-content-type-options-header
defines the X-Content-Type-Options header.

["Polyglots: Crossing Origins by Crossing Formats"](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.905.2946&rep=rep1&type=pdf)
explains Polyglot attacks in more detail.

Change-Id: I2c8800d2e4b4d10d9e08a0e3e5b20334a75f03c0
Reviewed-on: https://go-review.googlesource.com/89275
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Mike Samuel 2018-01-23 14:27:47 -05:00 committed by Brad Fitzpatrick
parent c3cb44fdef
commit 1a677e03c8
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/net/http/serve_test.go
View File

@ -3553,6 +3553,23 @@ func TestHeaderToWire(t *testing.T) {
return nil return nil
}, },
}, },
{
name: "Nosniff without Content-type",
handler: func(rw ResponseWriter, r *Request) {
rw.Header().Set("X-Content-Type-Options", "nosniff")
rw.WriteHeader(200)
rw.Write([]byte("<!doctype html>\n<html><head></head><body>some html</body></html>"))
},
check: func(got string) error {
if !strings.Contains(got, "Content-Type: application/octet-stream\r\n") {
return errors.New("Output should have an innocuous content-type")
}
if strings.Contains(got, "text/html") {
return errors.New("Output should not have a guess")
}
return nil
},
},
} }
for _, tc := range tests { for _, tc := range tests {
ht := newHandlerTest(HandlerFunc(tc.handler)) ht := newHandlerTest(HandlerFunc(tc.handler))

10
src/net/http/server.go
View File

@ -1339,7 +1339,15 @@ func (cw *chunkWriter) writeHeader(p []byte) {
// If no content type, apply sniffing algorithm to body. // If no content type, apply sniffing algorithm to body.
_, haveType := header["Content-Type"] _, haveType := header["Content-Type"]
if !haveType && !hasTE && len(p) > 0 { if !haveType && !hasTE && len(p) > 0 {
setHeader.contentType = DetectContentType(p) if cto := header.get("X-Content-Type-Options"); strings.EqualFold("nosniff", cto) {
// nosniff is an explicit directive not to guess a content-type.
// Content-sniffing is no less susceptible to polyglot attacks via
// hosted content when done on the server.
setHeader.contentType = "application/octet-stream"
w.conn.server.logf("http: WriteHeader called with X-Content-Type-Options:nosniff but no Content-Type")
} else {
setHeader.contentType = DetectContentType(p)
}
} }
} else { } else {
for _, k := range suppressedHeaders(code) { for _, k := range suppressedHeaders(code) {