Merge pull request #47758 from sled/security/set-content-type-charset

Set charset in content type response headers (OWASP)
2023-03-25 11:24:43 -04:00 · 2023-03-25 11:24:43 -04:00 · acd8fd142d
commit acd8fd142d
parent 05104e82b8 a9d191997b
6 changed files with 7 additions and 6 deletions
--- a/actioncable/lib/action_cable/connection/base.rb
+++ b/actioncable/lib/action_cable/connection/base.rb
@ -233,7 +233,7 @@ def respond_to_invalid_request

          logger.error invalid_request_message
          logger.info finished_request_message
-          [ 404, { "Content-Type" => "text/plain" }, [ "Page not found" ] ]
+          [ 404, { "Content-Type" => "text/plain; charset=utf-8" }, [ "Page not found" ] ]
        end

        # Tags are declared in the server but computed in the connection. This allows us per-connection tailored tags.
--- a/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb
@ -32,7 +32,7 @@ def redirect_to(location)
        if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
          body = ""
        else
-          return [400, { "Content-Type" => "text/plain" }, ["Invalid redirection URI"]]
+          return [400, { "Content-Type" => "text/plain; charset=utf-8" }, ["Invalid redirection URI"]]
        end

        [302, {
--- a/actionpack/lib/action_dispatch/middleware/debug_locks.rb
+++ b/actionpack/lib/action_dispatch/middleware/debug_locks.rb
@ -97,7 +97,8 @@ def render_details(req)
          msg << "\n#{info[:backtrace].join("\n")}\n" if info[:backtrace]
        end.join("\n\n---\n\n\n")

-        [200, { "Content-Type" => "text/plain", "Content-Length" => str.size }, [str]]
+        [200, { "Content-Type" => "text/plain; charset=#{ActionDispatch::Response.default_charset}",
+          "Content-Length" => str.size }, [str]]
      end

      def blocked_by?(victim, blocker, all_threads)
--- a/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
+++ b/actionpack/lib/action_dispatch/middleware/show_exceptions.rb
@ -48,7 +48,7 @@ def render_exception(request, exception)
      rescue Exception => failsafe_error
        $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"

-        [500, { "Content-Type" => "text/plain" },
+        [500, { "Content-Type" => "text/plain; charset=utf-8" },
          ["500 Internal Server Error\n" \
          "If you are the administrator of this website, then please read this web " \
          "application's log file and/or the web server's log file to find out what " \
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@ -129,7 +129,7 @@ def flag_cookies_as_secure!(headers)

      def redirect_to_https(request)
        [ @redirect.fetch(:status, redirection_status(request)),
-          { "Content-Type" => "text/html",
+          { "Content-Type" => "text/html; charset=utf-8",
            "Location" => https_location_for(request) },
          (@redirect[:body] || []) ]
      end
--- a/actionpack/lib/action_dispatch/routing/redirection.rb
+++ b/actionpack/lib/action_dispatch/routing/redirection.rb
@ -51,7 +51,7 @@ def build_response(req)

        headers = {
          "Location" => uri.to_s,
-          "Content-Type" => "text/html",
+          "Content-Type" => "text/html; charset=#{ActionDispatch::Response.default_charset}",
          "Content-Length" => body.length.to_s
        }