Add Content-Length header to HEAD requests #14542
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds the header Content-Length to HEAD HTTP requests. The previous behaviour was blocking some Windows executables (i.e bitsadmin.exe) from downloading files hosted in Gitea. This along with PR go-gitea#14541, makes the web server compliant with HTTP RFC 2616 which states "The methods GET and HEAD MUST be supported by all general-purpose servers" and "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response." This should also respond to issues go-gitea#8030 and go-gitea#14532.
zeripath
reviewed
Feb 1, 2021
zeripath
previously requested changes
Feb 1, 2021
Pass the Size of the content as a parameter to ServeData() instead of calculating it using ioutil.ReadAll(reader) --> this call is dangerous and can result in a denial of service.
Quick fix for imported dependency not used.
lafriks
approved these changes
Feb 1, 2021
lunny
reviewed
Feb 2, 2021
lunny
approved these changes
Feb 2, 2021
There was a problem hiding this comment.
LGTM except https://github.com/go-gitea/gitea/pull/14542/files#r568258348, I think we should add the head only size > 0.
@zeripath How did you think this maybe a security problem?
Co-authored-by: zeripath <art27@cantab.net>
6543
approved these changes
Feb 5, 2021
a1012112796
added a commit
to a1012112796/gitea
that referenced
this pull request
Feb 9, 2021
* master: (22 commits) Add support for ref parameter to get raw file API (go-gitea#14602) Fixed irritating error message related to go version (go-gitea#14611) Use OldRef instead of CommitSHA for DeleteBranch comments (go-gitea#14604) Add information on how to build statically (go-gitea#14594) [skip ci] Updated translations via Crowdin Exclude the current dump file from the dump (go-gitea#14606) Remove spurious DataAsync Error logging (go-gitea#14599) [API] Add delete release by tag & fix unreleased inconsistency (go-gitea#14563) Fix rate limit bug when downloading assets on migrating from github (go-gitea#14564) [API] Add affected files of commits to commit struct (go-gitea#14579) [skip ci] Updated licenses and gitignores Fix locale init (go-gitea#14582) Add Content-Length header to HEAD requests (go-gitea#14542) Honor REGISTER_MANUAL_CONFIRM when doing openid registration (go-gitea#14548) Fix lfs file viewer (go-gitea#14568) Fix typo in generate-emoji.go (go-gitea#14570) Fix bug about ListOptions and stars/watchers pagnation (go-gitea#14556) Fix gpg key deletion (go-gitea#14561) [API] GetRelease by tag only return release (go-gitea#14397) Reduce data races (go-gitea#14549) ...
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds the header Content-Length to HEAD HTTP requests.
The previous behavior was blocking some Windows executables (i.e
bitsadmin.exe) from downloading files hosted in Gitea.
This along with PR #14541, makes the web server compliant with HTTP RFC 2616 which states
"The methods GET and HEAD MUST be supported by all general-purpose servers"
and
"The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response."
This should also respond to issues #8030 and #14532.