Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Disallow caching of MIME/Content-Type errors (#14939)
This will sign intermediary proxies and/or misconfigured CDNs to not
cache those error responses.

Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>
  • Loading branch information
davidtaylorhq and xfalcox committed Nov 15, 2021
1 parent a1dcf3a commit 2da0001
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 3 deletions.
2 changes: 1 addition & 1 deletion lib/middleware/anonymous_cache.rb
Expand Up @@ -314,7 +314,7 @@ def call(env)
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
env[Rack::RACK_INPUT].size > 0

return [413, {}, []]
return [413, { "Cache-Control" => "private, max-age=0, must-revalidate" }, []]
end

helper = Helper.new(env)
Expand Down
2 changes: 1 addition & 1 deletion lib/middleware/discourse_public_exceptions.rb
Expand Up @@ -35,7 +35,7 @@ def call(env)
begin
request.format
rescue Mime::Type::InvalidMimeType
return [400, {}, ["Invalid MIME type"]]
return [400, { "Cache-Control" => "private, max-age=0, must-revalidate" }, ["Invalid MIME type"]]
end

if ApplicationController.rescue_with_handler(exception, object: fake_controller)
Expand Down
3 changes: 2 additions & 1 deletion spec/components/middleware/anonymous_cache_spec.rb
Expand Up @@ -243,11 +243,12 @@ def new_helper(opts = {})

context 'invalid request payload' do
it 'returns 413 for GET request with payload' do
status, _, _ = middleware.call(env.tap do |environment|
status, headers, _ = middleware.call(env.tap do |environment|
environment[Rack::RACK_INPUT].write("test")
end)

expect(status).to eq(413)
expect(headers["Cache-Control"]).to eq("private, max-age=0, must-revalidate")
end
end

Expand Down

0 comments on commit 2da0001

Please sign in to comment.