From a3ae146cbdf2cfbdbdf5feea52e8bf407cce2b31 Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Mon, 24 Oct 2022 10:23:57 -0600 Subject: fileserver: Reject non-GET/HEAD requests (close #5166) (#5167) * fileserver: Reject non-GET/HEAD requests (close #5166) * Set Allow header according to RFC 9110 10.2.1 --- modules/caddyhttp/fileserver/staticfiles.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go index fe1a4fc..c0fde66 100644 --- a/modules/caddyhttp/fileserver/staticfiles.go +++ b/modules/caddyhttp/fileserver/staticfiles.go @@ -410,6 +410,14 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c etag = calculateEtag(info) } + // at this point, we're serving a file; Go std lib supports only + // GET and HEAD, which is sensible for a static file server - reject + // any other methods (see issue #5166) + if r.Method != http.MethodGet && r.Method != http.MethodHead { + w.Header().Add("Allow", "GET, HEAD") + return caddyhttp.Error(http.StatusMethodNotAllowed, nil) + } + // set the Etag - note that a conditional If-None-Match request is handled // by http.ServeContent below, which checks against this Etag value w.Header().Set("Etag", etag) -- cgit v1.2.3