net/http: FileServer method check + minimal OPTIONS implementation

FileServer provides a read-only service. Methods other than GET or HEAD should
be denied with an Allow header.

Fixes #53501

Change-Id: I1d31b405eefd90565ecd474ac3f8d8d6e3b15072
Reviewed-on: https://go-review.googlesource.com/c/go/+/413554
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>

1 files changed, 15 insertions, 5 deletions

diff --git a/src/net/http/fs.go b/src/net/http/fs.go
index 87caeb7e90..cf80018b5e 100644
--- a/src/net/http/fs.go
+++ b/src/net/http/fs.go
@@ -843,12 +843,22 @@ func FileServer(root FileSystem) Handler {
 }
 
 func (f *fileHandler) ServeHTTP(w ResponseWriter, r *Request) {
-	upath := r.URL.Path
-	if !strings.HasPrefix(upath, "/") {
-		upath = "/" + upath
-		r.URL.Path = upath
+	const options = MethodOptions + ", " + MethodGet + ", " + MethodHead
+
+	switch r.Method {
+	case MethodGet, MethodHead:
+		if !strings.HasPrefix(r.URL.Path, "/") {
+			r.URL.Path = "/" + r.URL.Path
+		}
+		serveFile(w, r, f.root, path.Clean(r.URL.Path), true)
+
+	case MethodOptions:
+		w.Header().Set("Allow", options)
+
+	default:
+		w.Header().Set("Allow", options)
+		Error(w, "read-only", StatusMethodNotAllowed)
 	}
-	serveFile(w, r, f.root, path.Clean(upath), true)
 }
 
 // httpRange specifies the byte range to be sent to the client.