diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2022-10-24 10:23:57 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-24 10:23:57 -0600 |
commit | a3ae146cbdf2cfbdbdf5feea52e8bf407cce2b31 (patch) | |
tree | c040b8901cb7f8d53b29c9f69c9709dbc2ea44d2 | |
parent | 4bf6cb41990e16b1d99015aea080d06d7ef1152d (diff) |
fileserver: Reject non-GET/HEAD requests (close #5166) (#5167)
* fileserver: Reject non-GET/HEAD requests (close #5166)
* Set Allow header according to RFC 9110 10.2.1
-rw-r--r-- | modules/caddyhttp/fileserver/staticfiles.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go index fe1a4fc..c0fde66 100644 --- a/modules/caddyhttp/fileserver/staticfiles.go +++ b/modules/caddyhttp/fileserver/staticfiles.go @@ -410,6 +410,14 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c etag = calculateEtag(info) } + // at this point, we're serving a file; Go std lib supports only + // GET and HEAD, which is sensible for a static file server - reject + // any other methods (see issue #5166) + if r.Method != http.MethodGet && r.Method != http.MethodHead { + w.Header().Add("Allow", "GET, HEAD") + return caddyhttp.Error(http.StatusMethodNotAllowed, nil) + } + // set the Etag - note that a conditional If-None-Match request is handled // by http.ServeContent below, which checks against this Etag value w.Header().Set("Etag", etag) |