Fix setting HTTP headers after write (#21833)

The headers can't be modified after it was send to the client.
2022-11-17 18:55:15 +01:00 · 2022-11-17 18:55:15 +01:00 · 43ab9324c5
commit 43ab9324c5
parent c144942b23
5 changed files with 72 additions and 58 deletions
--- a/routers/api/packages/rubygems/rubygems.go
+++ b/routers/api/packages/rubygems/rubygems.go
@ -77,7 +77,9 @@ func enumeratePackages(ctx *context.Context, filename string, pvs []*packages_mo
 		})
 	}

-	ctx.SetServeHeaders(filename + ".gz")
+	ctx.SetServeHeaders(&context.ServeHeaderOptions{
+		Filename: filename + ".gz",
+	})

 	zw := gzip.NewWriter(ctx.Resp)
 	defer zw.Close()
@ -115,7 +117,9 @@ func ServePackageSpecification(ctx *context.Context) {
 		return
 	}

-	ctx.SetServeHeaders(filename)
+	ctx.SetServeHeaders(&context.ServeHeaderOptions{
+		Filename: filename,
+	})

 	zw := zlib.NewWriter(ctx.Resp)
 	defer zw.Close()
--- a/routers/common/repo.go
+++ b/routers/common/repo.go
@ -7,7 +7,6 @@ package common
 import (
 	"fmt"
 	"io"
-	"net/url"
 	"path"
 	"path/filepath"
 	"strings"
@ -53,50 +52,44 @@ func ServeData(ctx *context.Context, filePath string, size int64, reader io.Read
 		buf = buf[:n]
 	}

-	httpcache.AddCacheControlToHeader(ctx.Resp.Header(), 5*time.Minute)
-
 	if size >= 0 {
 		ctx.Resp.Header().Set("Content-Length", fmt.Sprintf("%d", size))
 	} else {
 		log.Error("ServeData called to serve data: %s with size < 0: %d", filePath, size)
 	}

-	fileName := path.Base(filePath)
-	sniffedType := typesniffer.DetectContentType(buf)
-	isPlain := sniffedType.IsText() || ctx.FormBool("render")
-	mimeType := ""
-	charset := ""
-
-	if setting.MimeTypeMap.Enabled {
-		fileExtension := strings.ToLower(filepath.Ext(fileName))
-		mimeType = setting.MimeTypeMap.Map[fileExtension]
+	opts := &context.ServeHeaderOptions{
+		Filename: path.Base(filePath),
 	}

-	if mimeType == "" {
+	sniffedType := typesniffer.DetectContentType(buf)
+	isPlain := sniffedType.IsText() || ctx.FormBool("render")
+
+	if setting.MimeTypeMap.Enabled {
+		fileExtension := strings.ToLower(filepath.Ext(filePath))
+		opts.ContentType = setting.MimeTypeMap.Map[fileExtension]
+	}
+
+	if opts.ContentType == "" {
 		if sniffedType.IsBrowsableBinaryType() {
-			mimeType = sniffedType.GetMimeType()
+			opts.ContentType = sniffedType.GetMimeType()
 		} else if isPlain {
-			mimeType = "text/plain"
+			opts.ContentType = "text/plain"
 		} else {
-			mimeType = typesniffer.ApplicationOctetStream
+			opts.ContentType = typesniffer.ApplicationOctetStream
 		}
 	}

 	if isPlain {
+		var charset string
 		charset, err = charsetModule.DetectEncoding(buf)
 		if err != nil {
 			log.Error("Detect raw file %s charset failed: %v, using by default utf-8", filePath, err)
 			charset = "utf-8"
 		}
+		opts.ContentTypeCharset = strings.ToLower(charset)
 	}

-	if charset != "" {
-		ctx.Resp.Header().Set("Content-Type", mimeType+"; charset="+strings.ToLower(charset))
-	} else {
-		ctx.Resp.Header().Set("Content-Type", mimeType)
-	}
-	ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
-
 	isSVG := sniffedType.IsSvgImage()

 	// serve types that can present a security risk with CSP
@ -109,16 +102,12 @@ func ServeData(ctx *context.Context, filePath string, size int64, reader io.Read
 		ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'")
 	}

-	disposition := "inline"
+	opts.Disposition = "inline"
 	if isSVG && !setting.UI.SVG.Enabled {
-		disposition = "attachment"
+		opts.Disposition = "attachment"
 	}

-	// encode filename per https://datatracker.ietf.org/doc/html/rfc5987
-	encodedFileName := `filename*=UTF-8''` + url.PathEscape(fileName)
-
-	ctx.Resp.Header().Set("Content-Disposition", disposition+"; "+encodedFileName)
-	ctx.Resp.Header().Set("Access-Control-Expose-Headers", "Content-Disposition")
+	ctx.SetServeHeaders(opts)

 	_, err = ctx.Resp.Write(buf)
 	if err != nil {
--- a/routers/web/feed/profile.go
+++ b/routers/web/feed/profile.go
@ -5,7 +5,6 @@
 package feed

 import (
-	"net/http"
 	"time"

 	activities_model "code.gitea.io/gitea/models/activities"
@ -59,7 +58,6 @@ func showUserFeed(ctx *context.Context, formatType string) {

 // writeFeed write a feeds.Feed as atom or rss to ctx.Resp
 func writeFeed(ctx *context.Context, feed *feeds.Feed, formatType string) {
-	ctx.Resp.WriteHeader(http.StatusOK)
 	if formatType == "atom" {
 		ctx.Resp.Header().Set("Content-Type", "application/atom+xml;charset=utf-8")
 		if err := feed.WriteAtom(ctx.Resp); err != nil {
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -604,7 +604,10 @@ func RegisterRoutes(m *web.Route) {

 	m.Group("", func() {
 		m.Get("/favicon.ico", func(ctx *context.Context) {
-			ctx.ServeFile(path.Join(setting.StaticRootPath, "public/img/favicon.png"))
+			ctx.SetServeHeaders(&context.ServeHeaderOptions{
+				Filename: "favicon.png",
+			})
+			http.ServeFile(ctx.Resp, ctx.Req, path.Join(setting.StaticRootPath, "public/img/favicon.png"))
 		})
 		m.Group("/{username}", func() {
 			m.Get(".png", func(ctx *context.Context) { ctx.Error(http.StatusNotFound) })