USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: always set header `X-Content-Type-Options` to `nosniff` (#6008)

pull/6011/head
ᴜɴᴋɴᴡᴏɴ 2020-03-23 22:18:05 +08:00 committed by GitHub
parent 740f814ce0
commit e14b6abf9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -42,6 +42,7 @@ All notable changes to Gogs are documented in this file.
- [Security] Potential XSS attack via `.ipynb`. [#5170](https://github.com/gogs/gogs/issues/5170)
- [Security] Potential SSRF attack via webhooks. [#5366](https://github.com/gogs/gogs/issues/5366)
- [Security] Potential CSRF attack in admin panel. [#5367](https://github.com/gogs/gogs/issues/5367)
- [Security] Potential stored XSS attack in some browsers. [#5397](https://github.com/gogs/gogs/issues/5397)
- [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
- [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
- Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)

24
internal/assets/public/public_gen.go
View File

File diff suppressed because one or more lines are too long

4
internal/context/context.go
View File

@ -335,6 +335,10 @@ func Contexter() macaron.Handler {
c.renderNoticeBanner()
// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
// see https://github.com/gogs/gogs/issues/5397 for details.
c.Header().Set("X-Content-Type-Options", "nosniff")
ctx.Map(c)
}
}