Enforce mime type 'application/json' when uploading advisories to the provider.

2025-12-22 11:55:40 +01:00 · 2023-02-01 00:32:30 +01:00 · 2023-02-01 00:32:30 +01:00 · 7cc37bd9fc
commit 7cc37bd9fc
parent e998133429
2 changed files with 23 additions and 1 deletions
--- a/cmd/csaf_provider/actions.go
+++ b/cmd/csaf_provider/actions.go
@ -42,6 +42,11 @@ func (c *controller) loadCSAF(r *http.Request) (string, []byte, error) {
 	}
 	defer file.Close()

+	// We reject everything which is not announced as JSON.
+	if handler.Header.Get("Content-Type") != "application/json" {
+		return "", nil, errors.New("expected content type 'application/json'")
+	}
+
 	if !util.ConfirmingFileName(handler.Filename) {
 		return "", nil, errors.New("given csaf filename is not confirming")
 	}