Skip to content

Commit 3f63cf1

Browse files
acabarbayeacabarbaye
committed
[headers] Support headers for verb tunnelling
1 parent 1f765c0 commit 3f63cf1

File tree

2 files changed

+16
-6
lines changed

2 files changed

+16
-6
lines changed

changes/20251006152230.feature

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
:sparkles: `[headers]` Support headers for [verb tunnelling](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41)

utils/http/headers/headers.go

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,19 @@ const (
3131
HeaderDeprecation = "Deprecation" // https://datatracker.ietf.org/doc/html/draft-ietf-httpapi-deprecation-header-02
3232
HeaderLink = headers.Link // https://datatracker.ietf.org/doc/html/rfc8288
3333
// TUS Headers https://tus.io/protocols/resumable-upload#headers
34-
HeaderUploadOffset = "Upload-Offset"
35-
HeaderTusVersion = "Tus-Version"
36-
HeaderUploadLength = "Upload-Length"
37-
HeaderTusResumable = "Tus-Resumable"
38-
HeaderTusExtension = "Tus-Extension"
39-
HeaderTusMaxSize = "Tus-Max-Size"
34+
HeaderUploadOffset = "Upload-Offset"
35+
HeaderTusVersion = "Tus-Version"
36+
HeaderUploadLength = "Upload-Length"
37+
HeaderTusResumable = "Tus-Resumable"
38+
HeaderTusExtension = "Tus-Extension"
39+
HeaderTusMaxSize = "Tus-Max-Size"
40+
// Verb tunnelling (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41)
41+
// CAUTION see the security risk of supporting such headers https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it/
4042
HeaderXHTTPMethodOverride = "X-HTTP-Method-Override"
43+
HeaderXHTTPMethod = "X-HTTP-Method"
44+
HeaderXMethodOverride = "X-Method-Override"
45+
HeaderXOverrideMethod = "X-Override-Method"
46+
4147
// TUS extensions Headers
4248
HeaderUploadMetadata = "Upload-Metadata" // See https://tus.io/protocols/resumable-upload#upload-metadata
4349
HeaderUploadDeferLength = "Upload-Defer-Length" // See https://tus.io/protocols/resumable-upload#upload-defer-length
@@ -76,6 +82,9 @@ var (
7682
HeaderChecksumAlgorithm,
7783
HeaderChecksum,
7884
HeaderUploadConcat,
85+
HeaderXHTTPMethod,
86+
HeaderXMethodOverride,
87+
HeaderXOverrideMethod,
7988
headers.Accept,
8089
headers.AcceptCharset,
8190
headers.AcceptEncoding,

0 commit comments

Comments
 (0)