misc: return bad request messages as plain text (#41602)

mellon/views.py

@@ -23,9 +23,9 @@ from requests.exceptions import RequestException
 from xml.sax.saxutils import escape
 import xml.etree.ElementTree as ET
 
-
+import django.http
 from django.views.generic import View
-from django.http import HttpResponseBadRequest, HttpResponseRedirect, HttpResponse
+from django.http import HttpResponseRedirect, HttpResponse
 from django.contrib import auth
 from django.conf import settings
 from django.views.decorators.csrf import csrf_exempt
@@ -40,6 +40,7 @@ from django.utils.translation import ugettext as _
 
 from . import app_settings, utils
 
+
 RETRY_LOGIN_COOKIE = 'MELLON_RETRY_LOGIN'
 
 lasso.setFlag('thin-sessions')
@@ -55,6 +56,13 @@ EO_NS = 'https://www.entrouvert.com/'
 LOGIN_HINT = '{%s}login-hint' % EO_NS
 
 
+class HttpResponseBadRequest(django.http.HttpResponseBadRequest):
+    def __init__(self, *args, **kwargs):
+        kwargs['content_type'] = kwargs.get('content_type', 'text/plain')
+        super(HttpResponseBadRequest, self).__init__(*args, **kwargs)
+        self['X-Content-Type-Options'] = 'nosniff'
+
+
 class LogMixin(object):
     """Initialize a module logger in new objects"""
     def __init__(self, *args, **kwargs):

tests/test_views.py

@@ -232,6 +232,8 @@ def test_malfortmed_artifact(private_settings, client, caplog):
         'METADATA': open('tests/metadata.xml').read(),
     }]
     response = client.get('/login/?SAMLart=xxx', status=400)
+    assert response['Content-Type'] == 'text/plain'
+    assert response['X-Content-Type-Options'] == 'nosniff'
     assert b'artifact is malformed' in response.content
     assert 'artifact is malformed' in caplog.text