browse: Return HTTP errors on unhandled HTTP methods

For example, a HTTP POST should not be answered with StatusOK, and a response to HTTP OPTIONS should not carry any contents.

browse: Return HTTP errors on unhandled HTTP methods
For example, a HTTP POST should not be answered with StatusOK, and a response to HTTP OPTIONS should not carry any contents.
4e98cc30 · W-Mark Kubacki · d3a77ce3 · 4e98cc30 · 4e98cc30
Commit 4e98cc30 authored Apr 15, 2016 by W-Mark Kubacki
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 0 deletions

middleware/browse/browse.go middleware/browse/browse.go +5 -0

middleware/browse/browse_test.go middleware/browse/browse_test.go +45 -0

No files found.
--- a/middleware/browse/browse.go
+++ b/middleware/browse/browse.go
@@ -241,6 +241,11 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 		if !middleware.Path(r.URL.Path).Matches(bc.PathScope) {
 			continue
 		}
+		switch r.Method {
+		case http.MethodGet, http.MethodHead:
+		default:
+			return http.StatusMethodNotAllowed, nil
+		}

 		// Browsing navigation gets messed up if browsing a directory
 		// that doesn't end in "/" (which it should, anyway)

--- a/middleware/browse/browse_test.go
+++ b/middleware/browse/browse_test.go
@@ -104,6 +104,51 @@ func TestSort(t *testing.T) {
 	}
 }

+func TestBrowseHTTPMethods(t *testing.T) {
+	tmpl, err := template.ParseFiles("testdata/photos.tpl")
+	if err != nil {
+		t.Fatalf("An error occured while parsing the template: %v", err)
+	}
+
+	b := Browse{
+		Next: middleware.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
+			t.Fatalf("Next shouldn't be called")
+			return 0, nil
+		}),
+		Root: "./testdata",
+		Configs: []Config{
+			{
+				PathScope: "/photos",
+				Template:  tmpl,
+			},
+		},
+	}
+
+	rec := httptest.NewRecorder()
+	for method, expected := range map[string]int{
+		http.MethodGet:     http.StatusOK,
+		http.MethodHead:    http.StatusOK,
+		http.MethodOptions: http.StatusMethodNotAllowed,
+		http.MethodPost:    http.StatusMethodNotAllowed,
+		http.MethodPut:     http.StatusMethodNotAllowed,
+		http.MethodPatch:   http.StatusMethodNotAllowed,
+		http.MethodDelete:  http.StatusMethodNotAllowed,
+		"COPY":             http.StatusMethodNotAllowed,
+		"MOVE":             http.StatusMethodNotAllowed,
+		"MKCOL":            http.StatusMethodNotAllowed,
+	} {
+		req, err := http.NewRequest(method, "/photos/", nil)
+		if err != nil {
+			t.Fatalf("Test: Could not create HTTP request: %v", err)
+		}
+
+		code, _ := b.ServeHTTP(rec, req)
+		if code != expected {
+			t.Errorf("Wrong status with HTTP Method %s: expected %d, got %d", method, expected, code)
+		}
+	}
+}
+
 func TestBrowseTemplate(t *testing.T) {
 	tmpl, err := template.ParseFiles("testdata/photos.tpl")
 	if err != nil {