Commit de7bf4f2 authored by Simon Lightfoot's avatar Simon Lightfoot Committed by Matt Holt

Enable downloading of protected content. See issue #979 (#980)

* Fix for stripping of 'Content-Disposition' and other headers from 'X-Accel-Redirect' redirect scripts.

* Added test case for header manipulation of redirect response.
parent 681c95a7
...@@ -3,6 +3,7 @@ Thumbs.db ...@@ -3,6 +3,7 @@ Thumbs.db
_gitignore/ _gitignore/
Vagrantfile Vagrantfile
.vagrant/ .vagrant/
/.idea
dist/builds/ dist/builds/
dist/release/ dist/release/
......
...@@ -20,8 +20,10 @@ type Internal struct { ...@@ -20,8 +20,10 @@ type Internal struct {
} }
const ( const (
redirectHeader string = "X-Accel-Redirect" redirectHeader string = "X-Accel-Redirect"
maxRedirectCount int = 10 contentLengthHeader string = "Content-Length"
contentEncodingHeader string = "Content-Encoding"
maxRedirectCount int = 10
) )
func isInternalRedirect(w http.ResponseWriter) bool { func isInternalRedirect(w http.ResponseWriter) bool {
...@@ -68,11 +70,12 @@ type internalResponseWriter struct { ...@@ -68,11 +70,12 @@ type internalResponseWriter struct {
http.ResponseWriter http.ResponseWriter
} }
// ClearHeader removes all header fields that are already set. // ClearHeader removes script headers that would interfere with follow up
// redirect requests.
func (w internalResponseWriter) ClearHeader() { func (w internalResponseWriter) ClearHeader() {
for k := range w.Header() { w.Header().Del(redirectHeader)
w.Header().Del(k) w.Header().Del(contentLengthHeader)
} w.Header().Del(contentEncodingHeader)
} }
// WriteHeader ignores the call if the response should be redirected to an // WriteHeader ignores the call if the response should be redirected to an
......
...@@ -7,6 +7,12 @@ import ( ...@@ -7,6 +7,12 @@ import (
"testing" "testing"
"github.com/mholt/caddy/caddyhttp/httpserver" "github.com/mholt/caddy/caddyhttp/httpserver"
"strconv"
)
const (
internalProtectedData = "~~~protected-data~~~"
contentTypeOctetStream = "application/octet-stream"
) )
func TestInternal(t *testing.T) { func TestInternal(t *testing.T) {
...@@ -30,6 +36,7 @@ func TestInternal(t *testing.T) { ...@@ -30,6 +36,7 @@ func TestInternal(t *testing.T) {
{"/cycle", http.StatusInternalServerError, ""}, {"/cycle", http.StatusInternalServerError, ""},
} }
var i int
for i, test := range tests { for i, test := range tests {
req, err := http.NewRequest("GET", test.url, nil) req, err := http.NewRequest("GET", test.url, nil)
if err != nil { if err != nil {
...@@ -48,15 +55,66 @@ func TestInternal(t *testing.T) { ...@@ -48,15 +55,66 @@ func TestInternal(t *testing.T) {
i, test.expectedBody, test.url, rec.Body.String()) i, test.expectedBody, test.url, rec.Body.String())
} }
} }
{
req, err := http.NewRequest("GET", "/download", nil)
if err != nil {
t.Fatalf("Test %d: Could not create HTTP request: %v", i, err)
}
rec := httptest.NewRecorder()
code, _ := im.ServeHTTP(rec, req)
if code != 0 {
t.Errorf("Test %d: Expected status code %d for %s, but got %d",
i, 0, "/download", code)
}
if rec.Body.String() != internalProtectedData {
t.Errorf("Test %d: Expected body '%s' for %s, but got '%s'",
i, internalProtectedData, "/download", rec.Body.String())
}
contentLength, err := strconv.Atoi(rec.Header().Get("Content-Length"))
if err != nil || contentLength != len(internalProtectedData) {
t.Errorf("Test %d: Expected content-length %d for %s, but got %d",
i, len(internalProtectedData), "/download", contentLength)
}
if val := rec.Header().Get("Content-Type"); val != contentTypeOctetStream {
t.Errorf("Test %d: Expected content-type '%s' header for %s, but got '%s'",
i, contentTypeOctetStream, "/download", val)
}
if val := rec.Header().Get("Content-Disposition"); val == "" {
t.Errorf("Test %d: Expected content-disposition header for %s",
i, "/download")
}
if val := rec.Header().Get("Content-Encoding"); val != "" {
t.Errorf("Test %d: Expected removal of content-encoding header for %s",
i, "/download")
}
}
} }
func internalTestHandlerFunc(w http.ResponseWriter, r *http.Request) (int, error) { func internalTestHandlerFunc(w http.ResponseWriter, r *http.Request) (int, error) {
switch r.URL.Path { switch r.URL.Path {
case "/redirect": case "/redirect":
w.Header().Set("X-Accel-Redirect", "/internal") w.Header().Set("X-Accel-Redirect", "/internal")
case "/cycle": case "/cycle":
w.Header().Set("X-Accel-Redirect", "/cycle") w.Header().Set("X-Accel-Redirect", "/cycle")
case "/download":
w.Header().Set("X-Accel-Redirect", "/internal/data")
w.Header().Set("Content-Disposition", "attachment; filename=test")
w.Header().Set("Content-Encoding", "magic")
w.Header().Set("Content-Length", "999")
case "/internal/data":
w.WriteHeader(http.StatusOK)
w.Header().Set("Content-Type", contentTypeOctetStream)
w.Header().Set("Content-Length", strconv.Itoa(len(internalProtectedData)))
w.Write([]byte(internalProtectedData))
return 0, nil
} }
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, r.URL.String()) fmt.Fprintf(w, r.URL.String())
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment