From a5dacb36a9124b7c4cf6ac653c6915570b855f89 Mon Sep 17 00:00:00 2001
From: Andrea Spacca <andrea.spacca@gmail.com>
Date: Wed, 5 Apr 2023 23:30:58 +0900
Subject: [PATCH] call WriteHeader after last change to header map (#542)

* call WriteHeader after last change to header map

* fix reader/decryptionReader
---
 server/handlers.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/server/handlers.go b/server/handlers.go
index a5cccb5c..704a987b 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -1232,16 +1232,8 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)
 
-	if rng != nil && rng.ContentRange() != "" {
-		w.WriteHeader(http.StatusPartialContent)
-	}
-
-	if disposition == "inline" && canContainsXSS(contentType) {
-		reader = io.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
-	}
-
 	password := r.Header.Get("X-Decrypt-Password")
-	decryptionReader, err := attachDecryptionReader(reader, password)
+	reader, err = attachDecryptionReader(reader, password)
 	if err != nil {
 		http.Error(w, "Could not decrypt file", http.StatusInternalServerError)
 		return
@@ -1256,7 +1248,15 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Length", strconv.FormatUint(contentLength, 10))
 	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
 
-	if _, err = io.Copy(w, decryptionReader); err != nil {
+	if rng != nil && rng.ContentRange() != "" {
+		w.WriteHeader(http.StatusPartialContent)
+	}
+
+	if disposition == "inline" && canContainsXSS(contentType) {
+		reader = io.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
+	}
+
+	if _, err = io.Copy(w, reader); err != nil {
 		s.logger.Printf("%s", err.Error())
 		http.Error(w, "Error occurred copying to output stream", http.StatusInternalServerError)
 		return
-- 
GitLab