http: always set header X-Content-Type-Options to nosniff (#6008)

unknwon · mpsonntag · commit b8e5b10496cd · 2020-11-26T15:53:28.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,7 @@ All notable changes to Gogs are documented in this file.
 - [Security] Potential XSS attack via `.ipynb`. [#5170](https://github.com/gogs/gogs/issues/5170)
 - [Security] Potential SSRF attack via webhooks. [#5366](https://github.com/gogs/gogs/issues/5366)
 - [Security] Potential CSRF attack in admin panel. [#5367](https://github.com/gogs/gogs/issues/5367)
+- [Security] Potential stored XSS attack in some browsers. [#5397](https://github.com/gogs/gogs/issues/5397)
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
diff --git a/internal/context/context.go b/internal/context/context.go
@@ -336,6 +336,10 @@ func Contexter() macaron.Handler {
 
 		c.renderNoticeBanner()
 
+		// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
+		// see https://github.com/gogs/gogs/issues/5397 for details.
+		c.Header().Set("X-Content-Type-Options", "nosniff")
+
 		ctx.Map(c)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -336,6 +336,10 @@ func Contexter() macaron.Handler {`
`336`	`336`
`337`	`337`	`c.renderNoticeBanner()`
`338`	`338`
	`339`	`+ // 🚨 SECURITY: Prevent MIME type sniffing in some browsers,`
	`340`	`+ // see https://github.com/gogs/gogs/issues/5397 for details.`
	`341`	`+ c.Header().Set("X-Content-Type-Options", "nosniff")`
	`342`	`+`
`339`	`343`	`ctx.Map(c)`
`340`	`344`	`}`
`341`	`345`	`}`