summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Holt <mholt@users.noreply.github.com>2022-10-24 10:23:57 -0600
committerGitHub <noreply@github.com>2022-10-24 10:23:57 -0600
commita3ae146cbdf2cfbdbdf5feea52e8bf407cce2b31 (patch)
treec040b8901cb7f8d53b29c9f69c9709dbc2ea44d2
parent4bf6cb41990e16b1d99015aea080d06d7ef1152d (diff)
fileserver: Reject non-GET/HEAD requests (close #5166) (#5167)
* fileserver: Reject non-GET/HEAD requests (close #5166) * Set Allow header according to RFC 9110 10.2.1
-rw-r--r--modules/caddyhttp/fileserver/staticfiles.go8
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index fe1a4fc..c0fde66 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -410,6 +410,14 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
etag = calculateEtag(info)
}
+ // at this point, we're serving a file; Go std lib supports only
+ // GET and HEAD, which is sensible for a static file server - reject
+ // any other methods (see issue #5166)
+ if r.Method != http.MethodGet && r.Method != http.MethodHead {
+ w.Header().Add("Allow", "GET, HEAD")
+ return caddyhttp.Error(http.StatusMethodNotAllowed, nil)
+ }
+
// set the Etag - note that a conditional If-None-Match request is handled
// by http.ServeContent below, which checks against this Etag value
w.Header().Set("Etag", etag)