diff options
Diffstat (limited to 'vendor/github.com/gorilla/handlers')
| -rw-r--r-- | vendor/github.com/gorilla/handlers/.travis.yml | 8 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/compress.go | 3 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/cors.go | 3 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/cors_test.go | 18 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/proxy_headers.go | 23 | ||||
| -rw-r--r-- | vendor/github.com/gorilla/handlers/proxy_headers_test.go | 17 |
6 files changed, 57 insertions, 15 deletions
diff --git a/vendor/github.com/gorilla/handlers/.travis.yml b/vendor/github.com/gorilla/handlers/.travis.yml index 783020996..4ea1e7a1f 100644 --- a/vendor/github.com/gorilla/handlers/.travis.yml +++ b/vendor/github.com/gorilla/handlers/.travis.yml @@ -6,13 +6,13 @@ matrix: - go: 1.4 - go: 1.5 - go: 1.6 + - go: 1.7 + - go: tip + allow_failures: - go: tip - -install: - - go get golang.org/x/tools/cmd/vet script: - go get -t -v ./... - diff -u <(echo -n) <(gofmt -d .) - - go tool vet . + - go vet $(go list ./... | grep -v /vendor/) - go test -v -race ./... diff --git a/vendor/github.com/gorilla/handlers/compress.go b/vendor/github.com/gorilla/handlers/compress.go index 5e140c503..e8345d792 100644 --- a/vendor/github.com/gorilla/handlers/compress.go +++ b/vendor/github.com/gorilla/handlers/compress.go @@ -56,6 +56,9 @@ func (w *compressResponseWriter) Flush() { // CompressHandler gzip compresses HTTP responses for clients that support it // via the 'Accept-Encoding' header. +// +// Compressing TLS traffic may leak the page contents to an attacker if the +// page contains user input: http://security.stackexchange.com/a/102015/12208 func CompressHandler(h http.Handler) http.Handler { return CompressHandlerLevel(h, gzip.DefaultCompression) } diff --git a/vendor/github.com/gorilla/handlers/cors.go b/vendor/github.com/gorilla/handlers/cors.go index d4229a5d9..1f92d1ad4 100644 --- a/vendor/github.com/gorilla/handlers/cors.go +++ b/vendor/github.com/gorilla/handlers/cors.go @@ -112,6 +112,9 @@ func (ch *cors) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(corsAllowOriginHeader, origin) + if r.Method == corsOptionMethod { + return + } ch.h.ServeHTTP(w, r) } diff --git a/vendor/github.com/gorilla/handlers/cors_test.go b/vendor/github.com/gorilla/handlers/cors_test.go index ff7eebf48..c63913eee 100644 --- a/vendor/github.com/gorilla/handlers/cors_test.go +++ b/vendor/github.com/gorilla/handlers/cors_test.go @@ -104,6 +104,24 @@ func TestCORSHandlerInvalidRequestMethodForPreflightMethodNotAllowed(t *testing. } } +func TestCORSHandlerOptionsRequestMustNotBePassedToNextHandler(t *testing.T) { + r := newRequest("OPTIONS", "http://www.example.com/") + r.Header.Set("Origin", r.URL.String()) + r.Header.Set(corsRequestMethodHeader, "GET") + + rr := httptest.NewRecorder() + + testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + t.Fatal("Options request must not be passed to next handler") + }) + + CORS()(testHandler).ServeHTTP(rr, r) + + if status := rr.Code; status != http.StatusOK { + t.Fatalf("bad status: got %v want %v", status, http.StatusOK) + } +} + func TestCORSHandlerAllowedMethodForPreflight(t *testing.T) { r := newRequest("OPTIONS", "http://www.example.com/") r.Header.Set("Origin", r.URL.String()) diff --git a/vendor/github.com/gorilla/handlers/proxy_headers.go b/vendor/github.com/gorilla/handlers/proxy_headers.go index 268de9c6a..0be750fd7 100644 --- a/vendor/github.com/gorilla/handlers/proxy_headers.go +++ b/vendor/github.com/gorilla/handlers/proxy_headers.go @@ -8,9 +8,11 @@ import ( var ( // De-facto standard header keys. - xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For") - xRealIP = http.CanonicalHeaderKey("X-Real-IP") - xForwardedProto = http.CanonicalHeaderKey("X-Forwarded-Scheme") + xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For") + xForwardedHost = http.CanonicalHeaderKey("X-Forwarded-Host") + xForwardedProto = http.CanonicalHeaderKey("X-Forwarded-Proto") + xForwardedScheme = http.CanonicalHeaderKey("X-Forwarded-Scheme") + xRealIP = http.CanonicalHeaderKey("X-Real-IP") ) var ( @@ -28,9 +30,9 @@ var ( // ProxyHeaders inspects common reverse proxy headers and sets the corresponding // fields in the HTTP request struct. These are X-Forwarded-For and X-Real-IP -// for the remote (client) IP address, X-Forwarded-Proto for the scheme -// (http|https) and the RFC7239 Forwarded header, which may include both client -// IPs and schemes. +// for the remote (client) IP address, X-Forwarded-Proto or X-Forwarded-Scheme +// for the scheme (http|https) and the RFC7239 Forwarded header, which may +// include both client IPs and schemes. // // NOTE: This middleware should only be used when behind a reverse // proxy like nginx, HAProxy or Apache. Reverse proxies that don't (or are @@ -49,7 +51,10 @@ func ProxyHeaders(h http.Handler) http.Handler { if scheme := getScheme(r); scheme != "" { r.URL.Scheme = scheme } - + // Set the host with the value passed by the proxy + if r.Header.Get(xForwardedHost) != "" { + r.Host = r.Header.Get(xForwardedHost) + } // Call the next handler in the chain. h.ServeHTTP(w, r) } @@ -99,7 +104,9 @@ func getScheme(r *http.Request) string { // Retrieve the scheme from X-Forwarded-Proto. if proto := r.Header.Get(xForwardedProto); proto != "" { scheme = strings.ToLower(proto) - } else if proto := r.Header.Get(forwarded); proto != "" { + } else if proto = r.Header.Get(xForwardedScheme); proto != "" { + scheme = strings.ToLower(proto) + } else if proto = r.Header.Get(forwarded); proto != "" { // match should contain at least two elements if the protocol was // specified in the Forwarded header. The first element will always be // the 'proto=' capture, which we ignore. In the case of multiple proto diff --git a/vendor/github.com/gorilla/handlers/proxy_headers_test.go b/vendor/github.com/gorilla/handlers/proxy_headers_test.go index 85282ef7d..1bd78052d 100644 --- a/vendor/github.com/gorilla/handlers/proxy_headers_test.go +++ b/vendor/github.com/gorilla/handlers/proxy_headers_test.go @@ -47,6 +47,9 @@ func TestGetScheme(t *testing.T) { {xForwardedProto, "https", "https"}, {xForwardedProto, "http", "http"}, {xForwardedProto, "HTTP", "http"}, + {xForwardedScheme, "https", "https"}, + {xForwardedScheme, "http", "http"}, + {xForwardedScheme, "HTTP", "http"}, {forwarded, `For="[2001:db8:cafe::17]:4711`, ""}, // No proto {forwarded, `for=192.0.2.43, for=198.51.100.17;proto=https`, "https"}, // Multiple params before proto {forwarded, `for=172.32.10.15; proto=https;by=127.0.0.1`, "https"}, // Space before proto @@ -74,13 +77,17 @@ func TestProxyHeaders(t *testing.T) { r.Header.Set(xForwardedFor, "8.8.8.8") r.Header.Set(xForwardedProto, "https") - - var addr string - var proto string + r.Header.Set(xForwardedHost, "google.com") + var ( + addr string + proto string + host string + ) ProxyHeaders(http.HandlerFunc( func(w http.ResponseWriter, r *http.Request) { addr = r.RemoteAddr proto = r.URL.Scheme + host = r.Host })).ServeHTTP(rr, r) if rr.Code != http.StatusOK { @@ -96,5 +103,9 @@ func TestProxyHeaders(t *testing.T) { t.Fatalf("wrong address: got %s want %s", proto, r.Header.Get(xForwardedProto)) } + if host != r.Header.Get(xForwardedHost) { + t.Fatalf("wrong address: got %s want %s", host, + r.Header.Get(xForwardedHost)) + } } |