From 361fa2c6b4cacb2a01bf5c23fd4cee0a2a0a3896 Mon Sep 17 00:00:00 2001 From: Kevin O Gorman Date: Sat, 22 Jun 2024 20:33:28 -0400 Subject: [PATCH] Disable werkzeug header generation for files served via mod_xsendfile For partial content requests, werkzeug's default behaviour is to calculate and add the necessary Content* headers in the response. However, mod-xsendfile, used by SD to deliver files more efficiently, will just pass through requests with pre-existing Content* headers, not even removing the X-Sendfile header used to invoke it. If USE_X_SENDIFLE is set to True in the Flask config, we should stop werkzeug from generating headers, and just let mod_xsendfile do it. (cherry picked from commit 9969e12896a9ca376fa55601191074efc0d870a7) --- securedrop/journalist_app/utils.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/securedrop/journalist_app/utils.py b/securedrop/journalist_app/utils.py index 662e641048..0260e021b0 100644 --- a/securedrop/journalist_app/utils.py +++ b/securedrop/journalist_app/utils.py @@ -525,8 +525,13 @@ def col_download_all(cols_selected: List[str]) -> werkzeug.Response: def serve_file_with_etag(db_obj: Union[Reply, Submission]) -> flask.Response: file_path = Storage.get_default().path(db_obj.source.filesystem_id, db_obj.filename) + add_range_headers = not current_app.config["USE_X_SENDFILE"] response = send_file( - file_path, mimetype="application/pgp-encrypted", as_attachment=True, etag=False + file_path, + mimetype="application/pgp-encrypted", + as_attachment=True, + etag=False, + conditional=add_range_headers, ) # Disable Flask default ETag if not db_obj.checksum: