Disable content sniffing on PlainTextBytes (#18359)

- Disable the browser's function to "sniff" for the content-type on the provided plain text, this will prevent the possible usage of user-controlled data being sent, which could be malicious. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
go-gitea · Jan 22, 2022 · 27ee01e · 27ee01e
1 parent 6ad7a53
commit 27ee01e
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/modules/context/context.go b/modules/context/context.go
@@ -292,6 +292,7 @@ func (ctx *Context) PlainTextBytes(status int, bs []byte) {
 	}
 	ctx.Resp.WriteHeader(status)
 	ctx.Resp.Header().Set("Content-Type", "text/plain;charset=utf-8")
+	ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
 	if _, err := ctx.Resp.Write(bs); err != nil {
 		log.Error("Write bytes failed: %v", err)
 	}