browse: Return HTTP errors on unhandled HTTP methods

For example, a HTTP POST should not be answered with StatusOK, and a response to HTTP OPTIONS should not carry any contents.
2025-11-03 19:17:29 -05:00 · 2016-04-15 18:17:36 +02:00 · 2016-04-15 18:17:36 +02:00 · 4e98cc3005
commit 4e98cc3005
parent d3a77ce3c3
2 changed files with 50 additions and 0 deletions
--- a/middleware/browse/browse.go
+++ b/middleware/browse/browse.go
@ -241,6 +241,11 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 		if !middleware.Path(r.URL.Path).Matches(bc.PathScope) {
 			continue
 		}
+		switch r.Method {
+		case http.MethodGet, http.MethodHead:
+		default:
+			return http.StatusMethodNotAllowed, nil
+		}

 		// Browsing navigation gets messed up if browsing a directory
 		// that doesn't end in "/" (which it should, anyway)
--- a/middleware/browse/browse_test.go
+++ b/middleware/browse/browse_test.go
@ -104,6 +104,51 @@ func TestSort(t *testing.T) {
 	}
 }

+func TestBrowseHTTPMethods(t *testing.T) {
+	tmpl, err := template.ParseFiles("testdata/photos.tpl")
+	if err != nil {
+		t.Fatalf("An error occured while parsing the template: %v", err)
+	}
+
+	b := Browse{
+		Next: middleware.HandlerFunc(func(w http.ResponseWriter, r *http.Request) (int, error) {
+			t.Fatalf("Next shouldn't be called")
+			return 0, nil
+		}),
+		Root: "./testdata",
+		Configs: []Config{
+			{
+				PathScope: "/photos",
+				Template:  tmpl,
+			},
+		},
+	}
+
+	rec := httptest.NewRecorder()
+	for method, expected := range map[string]int{
+		http.MethodGet:     http.StatusOK,
+		http.MethodHead:    http.StatusOK,
+		http.MethodOptions: http.StatusMethodNotAllowed,
+		http.MethodPost:    http.StatusMethodNotAllowed,
+		http.MethodPut:     http.StatusMethodNotAllowed,
+		http.MethodPatch:   http.StatusMethodNotAllowed,
+		http.MethodDelete:  http.StatusMethodNotAllowed,
+		"COPY":             http.StatusMethodNotAllowed,
+		"MOVE":             http.StatusMethodNotAllowed,
+		"MKCOL":            http.StatusMethodNotAllowed,
+	} {
+		req, err := http.NewRequest(method, "/photos/", nil)
+		if err != nil {
+			t.Fatalf("Test: Could not create HTTP request: %v", err)
+		}
+
+		code, _ := b.ServeHTTP(rec, req)
+		if code != expected {
+			t.Errorf("Wrong status with HTTP Method %s: expected %d, got %d", method, expected, code)
+		}
+	}
+}
+
 func TestBrowseTemplate(t *testing.T) {
 	tmpl, err := template.ParseFiles("testdata/photos.tpl")
 	if err != nil {