-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add charset to content type in getHandler #545
Conversation
Add charset to content type in the getHandler function to fix CJK-letter related issues. If the content type is empty after trimming, set it to "text/plain; charset=utf-8".
@snowphone thanks for the PR with your code the charset will be set only if the content type is empty: this will happen probably only uploading a file with an empty extension could you please validate that if you upload a file with I'm not sure how not relaying on the content-type header of the request is safer than relaying on the extension: both can be forged to produce a specific result, it's just that using the golang stdlind the possible results available are lower @cr-sh, sorry if I chime you in, do you see anything security related if we change this? |
Since your official server (transfer.sh) seems down, I tested on my server. BTW, My docker instance uses |
@snowphone The server is not down, it sadly has geoblocking enabled due to heavy abuse. I am sorry for the inconvenience caused and we hope to lift that restriction at some point 👍 |
yes, that was clear what I mean is that even with your change, uploading it will fix only if you upload |
Hmm.. It works on trasfer.sh. It seems I missed some configurations on my docker instance. Here's the link and The original content is EDIT: It works if the extension is .txt, but the problem occurs if extensions do not exist. |
No worries, it's always my pleasure to be mentioned by you @aspacca :) Client-side, from a security perspective, relaying on the content-type header of the request is quite the same than relaying on the file extension, both are (of course) in the control of a possible attacker... "ideally" the relative server-side security best practice in file upload endpoints is to match the header with the provided file extension. In opposite direction the content-type header on http responses are more prone to bad things when empty or evil, because the browser will try to guess the file type sniffing the content, so in case of "empty" content types the best option is to add In any case forcing to text/plain any "empty" Content-Type as I see on [edit] reference: Cheers, crash |
I can't understand why
and a reverse-proxy server is in front of transfer.sh instance. Do you guys know why this difference happened? |
my guess is something about the locale env variables |
this has
this has no |
thanks @cr-sh for the feedback
what if they don't match? should we reject the upload? something like this is correct from your point of view?
|
I cannot reproduce: https://github.com/dutchcoders/transfer.sh/blob/main/server/handlers.go#L1221 is properly reached, and I can see locally the header @stefanbenten is it possible that you have some kind of proxy on top of transfer.sh that drops the |
Unfortunately, locale was not the one. I tried |
maybe something on the reverse-proxy? are you able to bypass the proxy and reproduce the issue directly connecting to docker? |
sorry, indeed not specific to local env variables, but in general to the locale. |
indeed the locale concerns might be off-point and in case come in the picture after the proper could you please check the the proper value should be what's your host locale? |
https://pkg.go.dev/mime#TypeByExtension if you run the binary on a *nix machine you'll get much more extensions, that's the reason why I could not reproduce. I don't know if on https://transfer.sh the service runs from docker or not (@stefanbenten ?) it might be worth to add at least a few of following files to the docker image:
|
First, the problem is NOT related to a reverse-proxy server. I tried without reverse-proxy (I stopped my nginx instance for make it sure) but the problem still happens. And, my host locale is |
yes, @snowphone , please read my last comment at #545 (comment) let's split the two problems you are facing:
solutions:
(only the one you have available on your system)
|
Thanks! mounting |
inlcuding them in the docker image is the preferred solution, if you have some times to work on it a PR is welcome I will merge this current one in the meanwhile |
yep, i think it's the best policy
Looks good, but some testing is mandatory here, because there are some cases where we can have multiple valid content-type headers for a given file extension (like for images and videos). Also remember to place this snippet after handling the case of uploads without extension. Probably, to push it even further, you can actively check on the server the mimetype of uploaded files, this is a good example https://github.com/h2non/filetype |
This commit includes /etc/mime.types file to the container, which is necessary to properly select the charset using MIME typing during file upload. For more information, read dutchcoders#545 (comment)
* Add charset to content type in getHandler Add charset to content type in the getHandler function to fix CJK-letter related issues. If the content type is empty after trimming, set it to "text/plain; charset=utf-8". * Add mailcap and mime.types to transfer.sh container This commit includes /etc/mime.types file to the container, which is necessary to properly select the charset using MIME typing during file upload. For more information, read #545 (comment) --------- Co-authored-by: Andrea Spacca <andrea.spacca@gmail.com>
When I use
https/transfer.sh/inline/....
, CJK letters are crashed, at least on MSEdge. It seems it's because of absence of charset (UTF-8).So I added charset to content type in the getHandler function to fix CJK-letter related issues. If the content type is empty after trimming, set it to "text/plain; charset=utf-8".
BTW, I'm not familiar with REST APIs and this change is not tested yet, feel free to give me feedback.