Disable content sniffing on PlainTextBytes (#18359)

Gusted · zeripath · wxiaoguang · web-flow · commit 27ee01e1e866 · 2022-01-22T13:32:35.000-05:00
- Disable the browser's function to "sniff" for the content-type on the
provided plain text, this will prevent the possible usage of
user-controlled data being sent, which could be malicious.

Co-authored-by: zeripath &lt;art27@cantab.net&gt;
Co-authored-by: wxiaoguang &lt;wxiaoguang@gmail.com&gt;
diff --git a/modules/context/context.go b/modules/context/context.go
@@ -292,6 +292,7 @@ func (ctx *Context) PlainTextBytes(status int, bs []byte) {
 	}
 	ctx.Resp.WriteHeader(status)
 	ctx.Resp.Header().Set("Content-Type", "text/plain;charset=utf-8")
+	ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
 	if _, err := ctx.Resp.Write(bs); err != nil {
 		log.Error("Write bytes failed: %v", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,7 @@ func (ctx *Context) PlainTextBytes(status int, bs []byte) {`
`292`	`292`	`}`
`293`	`293`	`ctx.Resp.WriteHeader(status)`
`294`	`294`	`ctx.Resp.Header().Set("Content-Type", "text/plain;charset=utf-8")`
	`295`	`+ ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")`
`295`	`296`	`if _, err := ctx.Resp.Write(bs); err != nil {`
`296`	`297`	`log.Error("Write bytes failed: %v", err)`
`297`	`298`	`}`