- issue2551257: add 'X-Content-Type-Options: nosniff' header for file download

rouilj · rouilj · commit a313115c5a47 · 2023-02-23T16:20:32.000-05:00
when downloading an attached (user supplied file), make sure that an
'X-Content-Type-Options: nosniff' header is sent.

Added test for header as well.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -70,6 +70,8 @@ Fixed:
   security issue with rest when using '*'.
 - issue2551263: In REST response expose rate limiting, sunset, allow
   HTTP headers to calling javascript.
+- issue2551257: When downloading an attached (user supplied file),
+  make sure that an 'X-Content-Type-Options: nosniff' header is sent.
 
 Features:
 
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -846,7 +846,7 @@ def inner_main(self):
                 # exception handlers.
                 self.determine_language()
                 self.db.i18n = self.translator
-
+                self.setHeader("X-Content-Type-Options", "nosniff")
                 self.serve_file(designator)
             except SendStaticFile as file:
                 self.serve_static_file(str(file))
diff --git a/test/test_liveserver.py b/test/test_liveserver.py
@@ -1197,6 +1197,7 @@ def test_new_issue_with_file_upload(self):
         # download file and verify content
         f = session.get(self.url_base()+'/file%(file)s/text1.txt'%m.groupdict())
         self.assertEqual(f.text, file_content)
+        self.assertEqual(f.headers["X-Content-Type-Options"], "nosniff")
         print(f.text)
 
     def test_new_file_via_rest(self):
