]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 0fdc380) | patch
[release-branch.go1.15-security] net/http/cgi,net/http/fcgi: add Content-Type detection
authorRoberto Clapis <roberto@golang.org>
Wed, 26 Aug 2020 06:53:03 +0000 (08:53 +0200)
committerFilippo Valsorda <valsorda@google.com>
Tue, 1 Sep 2020 12:31:45 +0000 (12:31 +0000)
commiteb07103a083237414145a45f029c873d57037e06
tree22816017d9892e7a0ee0382e8db61d4c27525829tree
parent0fdc3801bfd43d6f55e4ea5bf095e1ea55430339commit | diff
[release-branch.go1.15-security] net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.

If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.

Thanks to RedTeam Pentesting GmbH for reporting this.

Fixes CVE-2020-24553

Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
src/net/http/cgi/child.go diff | blob | history
src/net/http/cgi/child_test.go diff | blob | history
src/net/http/cgi/integration_test.go diff | blob | history
src/net/http/fcgi/child.go diff | blob | history
src/net/http/fcgi/fcgi_test.go diff | blob | history
Go GOST TLS 1.3