From d67297c7aae59e2a2733014784dc595f5c51ec55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Fri, 10 Apr 2020 14:21:58 +0200
Subject: [PATCH] misc: return bad request messages as plain text (#41602)

---
 mellon/views.py     | 12 ++++++++++--
 tests/test_views.py |  2 ++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/mellon/views.py b/mellon/views.py
index 15f5a86..9ebf645 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -23,9 +23,9 @@ from requests.exceptions import RequestException
 from xml.sax.saxutils import escape
 import xml.etree.ElementTree as ET
 
-
+import django.http
 from django.views.generic import View
-from django.http import HttpResponseBadRequest, HttpResponseRedirect, HttpResponse
+from django.http import HttpResponseRedirect, HttpResponse
 from django.contrib import auth
 from django.conf import settings
 from django.views.decorators.csrf import csrf_exempt
@@ -40,6 +40,7 @@ from django.utils.translation import ugettext as _
 
 from . import app_settings, utils
 
+
 RETRY_LOGIN_COOKIE = 'MELLON_RETRY_LOGIN'
 
 lasso.setFlag('thin-sessions')
@@ -55,6 +56,13 @@ EO_NS = 'https://www.entrouvert.com/'
 LOGIN_HINT = '{%s}login-hint' % EO_NS
 
 
+class HttpResponseBadRequest(django.http.HttpResponseBadRequest):
+    def __init__(self, *args, **kwargs):
+        kwargs['content_type'] = kwargs.get('content_type', 'text/plain')
+        super(HttpResponseBadRequest, self).__init__(*args, **kwargs)
+        self['X-Content-Type-Options'] = 'nosniff'
+
+
 class LogMixin(object):
     """Initialize a module logger in new objects"""
     def __init__(self, *args, **kwargs):
diff --git a/tests/test_views.py b/tests/test_views.py
index c9fd253..7964bd9 100644
--- a/tests/test_views.py
+++ b/tests/test_views.py
@@ -232,6 +232,8 @@ def test_malfortmed_artifact(private_settings, client, caplog):
         'METADATA': open('tests/metadata.xml').read(),
     }]
     response = client.get('/login/?SAMLart=xxx', status=400)
+    assert response['Content-Type'] == 'text/plain'
+    assert response['X-Content-Type-Options'] == 'nosniff'
     assert b'artifact is malformed' in response.content
     assert 'artifact is malformed' in caplog.text