]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: d571a77) | patch
[release-branch.go1.14-security] net/http/cgi,net/http/fcgi: add Content-Type detection
authorRoberto Clapis <roberto@golang.org>
Wed, 26 Aug 2020 06:53:03 +0000 (08:53 +0200)
committerFilippo Valsorda <valsorda@google.com>
Tue, 1 Sep 2020 12:31:38 +0000 (12:31 +0000)
commit8fcee8abbea1bb959c63a6944f9ddf490a97f802
treee1ae61d1531695e5c0e770307adaeb7d319d857dtree
parentd571a77846dfee8efd076223a882915cd6cb52f4commit | diff
[release-branch.go1.14-security] net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.

If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.

Thanks to RedTeam Pentesting GmbH for reporting this.

Fixes CVE-2020-24553

Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835312
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
src/net/http/cgi/child.go diff | blob | history
src/net/http/cgi/child_test.go diff | blob | history
src/net/http/cgi/integration_test.go diff | blob | history
src/net/http/fcgi/child.go diff | blob | history
src/net/http/fcgi/fcgi_test.go diff | blob | history
Go GOST TLS 1.3