From d49f762f6d9cdc2e92e8de40f0b0e99a9d0c4fc9 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Fri, 21 Jun 2019 14:36:26 -0600
Subject: Various bug fixes and minor improvements

- Fix static responder so it doesn't replace its own headers config,
  and instead replaces the actual response header values
- caddyhttp.ResponseRecorder type optionally buffers response
- Add interface guards to ensure regexp matchers get provisioned
- Use default HTTP port if one is not explicitly set
- Encode middleware writes status code 200 if not written upstream
- Templates and markdown only try to execute on text responses
- Static file server sets Content-Type based on file extension only
  (this whole thing -- MIME sniffing, etc -- needs more configurability)
---
 modules/caddyhttp/fileserver/browse.go      |  1 +
 modules/caddyhttp/fileserver/staticfiles.go | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

(limited to 'modules/caddyhttp/fileserver')

diff --git a/modules/caddyhttp/fileserver/browse.go b/modules/caddyhttp/fileserver/browse.go
index 1329541..5dda294 100644
--- a/modules/caddyhttp/fileserver/browse.go
+++ b/modules/caddyhttp/fileserver/browse.go
@@ -66,6 +66,7 @@ func (fsrv *FileServer) serveBrowse(dirPath string, w http.ResponseWriter, r *ht
 		}
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	}
+
 	buf.WriteTo(w)
 
 	return nil
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index 080e1a8..49c2be4 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"html/template"
 	weakrand "math/rand"
+	"mime"
 	"net/http"
 	"os"
 	"path"
@@ -185,14 +186,21 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) error
 
 	// TODO: Etag
 
-	// do not allow Go to sniff the content-type
 	if w.Header().Get("Content-Type") == "" {
-		w.Header()["Content-Type"] = nil
+		mtyp := mime.TypeByExtension(filepath.Ext(filename))
+		if mtyp == "" {
+			// do not allow Go to sniff the content-type; see
+			// https://www.youtube.com/watch?v=8t8JYpt0egE
+			// TODO: Consider writing a default mime type of application/octet-stream - this is secure but violates spec
+			w.Header()["Content-Type"] = nil
+		} else {
+			w.Header().Set("Content-Type", mtyp)
+		}
 	}
 
 	// let the standard library do what it does best; note, however,
 	// that errors generated by ServeContent are written immediately
-	// to the response, so we cannot handle them (but errors here
+	// to the response, so we cannot handle them (but errors there
 	// are rare)
 	http.ServeContent(w, r, info.Name(), info.ModTime(), file)
 
-- 
cgit v1.2.3