소스 검색

http: always set header `X-Content-Type-Options` to `nosniff` (#6008)

ᴜɴᴋɴᴡᴏɴ 5 년 전
부모
커밋
e14b6abf9d
3개의 변경된 파일9개의 추가작업 그리고 4개의 파일을 삭제
  1. 1 0
      CHANGELOG.md
  2. 4 4
      internal/assets/public/public_gen.go
  3. 4 0
      internal/context/context.go

+ 1 - 0
CHANGELOG.md

@@ -42,6 +42,7 @@ All notable changes to Gogs are documented in this file.
 - [Security] Potential XSS attack via `.ipynb`. [#5170](https://github.com/gogs/gogs/issues/5170)
 - [Security] Potential SSRF attack via webhooks. [#5366](https://github.com/gogs/gogs/issues/5366)
 - [Security] Potential CSRF attack in admin panel. [#5367](https://github.com/gogs/gogs/issues/5367)
+- [Security] Potential stored XSS attack in some browsers. [#5397](https://github.com/gogs/gogs/issues/5397)
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)

파일 크기가 너무 크기때문에 변경 상태를 표시하지 않습니다.
+ 4 - 4
internal/assets/public/public_gen.go


+ 4 - 0
internal/context/context.go

@@ -335,6 +335,10 @@ func Contexter() macaron.Handler {
 
 		c.renderNoticeBanner()
 
+		// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
+		// see https://github.com/gogs/gogs/issues/5397 for details.
+		c.Header().Set("X-Content-Type-Options", "nosniff")
+
 		ctx.Map(c)
 	}
 }

이 변경점에서 너무 많은 파일들이 변경되어 몇몇 파일들은 표시되지 않았습니다.