Enable downloading of protected content. See issue #979 (#980)

* Fix for stripping of 'Content-Disposition' and other headers from 'X-Accel-Redirect' redirect scripts.

* Added test case for header manipulation of redirect response.

.gitignore

@@ -3,6 +3,7 @@ Thumbs.db
 _gitignore/
 Vagrantfile
 .vagrant/
+/.idea
 
 dist/builds/
 dist/release/

caddyhttp/internalsrv/internal.go

@@ -21,6 +21,8 @@ type Internal struct {
 
 const (
 	redirectHeader        string = "X-Accel-Redirect"
+	contentLengthHeader   string = "Content-Length"
+	contentEncodingHeader string = "Content-Encoding"
 	maxRedirectCount      int    = 10
 )
 
@@ -68,11 +70,12 @@ type internalResponseWriter struct {
 	http.ResponseWriter
 }
 
-// ClearHeader removes all header fields that are already set.
+// ClearHeader removes script headers that would interfere with follow up
+// redirect requests.
 func (w internalResponseWriter) ClearHeader() {
-	for k := range w.Header() {
+	w.Header().Del(redirectHeader)
-		w.Header().Del(k)
+	w.Header().Del(contentLengthHeader)
-	}
+	w.Header().Del(contentEncodingHeader)
 }
 
 // WriteHeader ignores the call if the response should be redirected to an

caddyhttp/internalsrv/internal_test.go

@@ -7,6 +7,12 @@ import (
 	"testing"
 
 	"github.com/mholt/caddy/caddyhttp/httpserver"
+	"strconv"
+)
+
+const (
+	internalProtectedData  = "~~~protected-data~~~"
+	contentTypeOctetStream = "application/octet-stream"
 )
 
 func TestInternal(t *testing.T) {
@@ -30,6 +36,7 @@ func TestInternal(t *testing.T) {
 		{"/cycle", http.StatusInternalServerError, ""},
 	}
 
+	var i int
 	for i, test := range tests {
 		req, err := http.NewRequest("GET", test.url, nil)
 		if err != nil {
@@ -48,15 +55,66 @@ func TestInternal(t *testing.T) {
 				i, test.expectedBody, test.url, rec.Body.String())
 		}
 	}
+
+	{
+		req, err := http.NewRequest("GET", "/download", nil)
+		if err != nil {
+			t.Fatalf("Test %d: Could not create HTTP request: %v", i, err)
+		}
+
+		rec := httptest.NewRecorder()
+		code, _ := im.ServeHTTP(rec, req)
+
+		if code != 0 {
+			t.Errorf("Test %d: Expected status code %d for %s, but got %d",
+				i, 0, "/download", code)
+		}
+		if rec.Body.String() != internalProtectedData {
+			t.Errorf("Test %d: Expected body '%s' for %s, but got '%s'",
+				i, internalProtectedData, "/download", rec.Body.String())
+		}
+		contentLength, err := strconv.Atoi(rec.Header().Get("Content-Length"))
+		if err != nil || contentLength != len(internalProtectedData) {
+			t.Errorf("Test %d: Expected content-length %d for %s, but got %d",
+				i, len(internalProtectedData), "/download", contentLength)
+		}
+		if val := rec.Header().Get("Content-Type"); val != contentTypeOctetStream {
+			t.Errorf("Test %d: Expected content-type '%s' header for %s, but got '%s'",
+				i, contentTypeOctetStream, "/download", val)
+		}
+		if val := rec.Header().Get("Content-Disposition"); val == "" {
+			t.Errorf("Test %d: Expected content-disposition header for %s",
+				i, "/download")
+		}
+		if val := rec.Header().Get("Content-Encoding"); val != "" {
+			t.Errorf("Test %d: Expected removal of content-encoding header for %s",
+				i, "/download")
+		}
+	}
 }
 
 func internalTestHandlerFunc(w http.ResponseWriter, r *http.Request) (int, error) {
 	switch r.URL.Path {
 	case "/redirect":
 		w.Header().Set("X-Accel-Redirect", "/internal")
+
 	case "/cycle":
 		w.Header().Set("X-Accel-Redirect", "/cycle")
+
+	case "/download":
+		w.Header().Set("X-Accel-Redirect", "/internal/data")
+		w.Header().Set("Content-Disposition", "attachment; filename=test")
+		w.Header().Set("Content-Encoding", "magic")
+		w.Header().Set("Content-Length", "999")
+
+	case "/internal/data":
+		w.WriteHeader(http.StatusOK)
+		w.Header().Set("Content-Type", contentTypeOctetStream)
+		w.Header().Set("Content-Length", strconv.Itoa(len(internalProtectedData)))
+		w.Write([]byte(internalProtectedData))
+		return 0, nil
 	}
+
 	w.WriteHeader(http.StatusOK)
 	fmt.Fprintf(w, r.URL.String())