From 81bf1ef8ceb8be4b4a86007a042157ac0eeb2a28 Mon Sep 17 00:00:00 2001 From: Nikolai Prokoschenko Date: Tue, 12 Jan 2021 16:40:14 +0100 Subject: [PATCH] Adapt isAjax to support mimetype lists Fixes #988 --- CHANGELOG.md | 1 + oauthproxy.go | 14 +++++++++++--- oauthproxy_test.go | 7 +++++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2272fb4..fc41907 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -100,6 +100,7 @@ - [#750](https://github.com/oauth2-proxy/oauth2-proxy/pull/750) ci: Migrate to Github Actions (@shinebayar-g) - [#829](https://github.com/oauth2-proxy/oauth2-proxy/pull/820) Rename test directory to testdata (@johejo) - [#819](https://github.com/oauth2-proxy/oauth2-proxy/pull/819) Improve CI (@johejo) +- [#989](https://github.com/oauth2-proxy/oauth2-proxy/pull/989) Adapt isAjax to support mimetype lists (@rassie) # v6.1.1 diff --git a/oauthproxy.go b/oauthproxy.go index 74ed6dc..cfba693 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -1111,9 +1111,17 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req func isAjax(req *http.Request) bool { acceptValues := req.Header.Values("Accept") const ajaxReq = applicationJSON - for _, v := range acceptValues { - if v == ajaxReq { - return true + // Iterate over multiple Accept headers, i.e. + // Accept: application/json + // Accept: text/plain + for _, mimeTypes := range acceptValues { + // Iterate over multiple mimetypes in a single header, i.e. + // Accept: application/json, text/plain, */* + for _, mimeType := range strings.Split(mimeTypes, ",") { + mimeType = strings.TrimSpace(mimeType) + if mimeType == ajaxReq { + return true + } } } return false diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 572e1ec..52ffa2b 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -1970,6 +1970,13 @@ func TestAjaxUnauthorizedRequest2(t *testing.T) { testAjaxUnauthorizedRequest(t, header) } +func TestAjaxUnauthorizedRequestAccept1(t *testing.T) { + header := make(http.Header) + header.Add("Accept", "application/json, text/plain, */*") + + testAjaxUnauthorizedRequest(t, header) +} + func TestAjaxForbiddendRequest(t *testing.T) { test, err := newAjaxRequestTest() if err != nil {