]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 66e66e7) | patch
net/http/cgi,net/http/fcgi: add Content-Type detection
authorRoberto Clapis <roberto@golang.org>
Wed, 26 Aug 2020 06:53:03 +0000 (08:53 +0200)
committerFilippo Valsorda <filippo@golang.org>
Mon, 14 Sep 2020 15:42:03 +0000 (15:42 +0000)
commit4f5cd0c0331943c7ec72df3b827d972584f77833
tree9aba6fa0d87f10f1cf442a95a6c9e6f1200d28fbtree
parent66e66e71132034aa620ffbae9008f951da0f9f27commit | diff
net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.

If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.

Thanks to RedTeam Pentesting GmbH for reporting this.

Fixes #40928
Fixes CVE-2020-24553

Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/252179
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
src/net/http/cgi/child.go diff | blob | history
src/net/http/cgi/child_test.go diff | blob | history
src/net/http/cgi/integration_test.go diff | blob | history
src/net/http/fcgi/child.go diff | blob | history
src/net/http/fcgi/fcgi_test.go diff | blob | history
Go GOST TLS 1.3