Merge pull request #198 from gofiber/fix-content-type-parser-vulnerability

🐛 fix: prevent content-type confusion in ParseVendorSpecificContentType

Author: ReneWerner87

http.go

@@ -11,10 +11,10 @@ import (
 
 const MIMEOctetStream = "application/octet-stream"
 const (
-	contentTypeApplicationJSON               = "application/json"
-	contentTypeApplicationXML                = "application/xml"
-	contentTypeApplicationFormURLEncoded     = "application/x-www-form-urlencoded"
-	contentTypePrefixApplicationWithSlashLen = len("application/")
+	contentTypeApplicationJSON            = "application/json"
+	contentTypeApplicationXML             = "application/xml"
+	contentTypeApplicationFormURLEncoded  = "application/x-www-form-urlencoded"
+	contentTypePrefixApplicationWithSlash = "application/"
 )
 
 // GetMIME returns the content-type of a file extension
@@ -80,7 +80,7 @@ func ParseVendorSpecificContentType(cType string, caseInsensitive ...bool) strin
 		return cType
 	}
 
-	if slashIndex+1 == contentTypePrefixApplicationWithSlashLen {
+	if strings.HasPrefix(working, contentTypePrefixApplicationWithSlash) {
 		switch parsableType {
 		case "json":
 			return contentTypeApplicationJSON

http_test.go

@@ -102,6 +102,9 @@ func Test_ParseVendorSpecificContentType(t *testing.T) {
 	cType = ParseVendorSpecificContentType("text/vnd.example+plain")
 	require.Equal(t, "text/plain", cType)
 
+	cType = ParseVendorSpecificContentType("aaaaaaaaaaa/vnd.api+json")
+	require.Equal(t, "aaaaaaaaaaa/json", cType)
+
 	cType = ParseVendorSpecificContentType("application/vnd.test+json;boundary=test")
 	require.Equal(t, "application/json", cType)