Cypherpunks repositories - gostls13.git/commit

author	Andrew Bonventre <andybons@golang.org>
	Fri, 23 Mar 2018 20:40:15 +0000 (16:40 -0400)
committer	Andrew Bonventre <andybons@golang.org>
	Thu, 29 Mar 2018 06:04:25 +0000 (06:04 +0000)
commit	703bb6a7124da10fea81bf1e3318b37d8ebd4ec9
tree	6ae85c2ad7311bf18a1212c154425415c10c205c	tree
parent	15474dce9d295055c70c0a6ad092fd95563ddca9	commit \| diff

[release-branch.go1.9] net/http/pprof: harden handler responses

A very small number of old browsers consider content as HTML
even when it is explicitly stated in the Content-Type header
that it is not. If content served is based on user-supplied
input, then an XSS is possible. Introduce three mitigations:

+ Don't reflect user input in error strings
+ Set a Content-Disposition header when requesting a resource
that should never be displayed in a browser window
+ Set X-Content-Type-Options: nosniff on all responses

Change-Id: I81c9d6736e0439ebd1db99cd7fb701cc56d24805
Reviewed-on: https://go-review.googlesource.com/102318
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/103164
Reviewed-by: Andrew Bonventre <andybons@golang.org>

src/net/http/pprof/pprof.go		diff \| blob \| history
src/net/http/pprof/pprof_test.go	[new file with mode: 0644]	blob