net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.

If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.

Thanks to RedTeam Pentesting GmbH for reporting this.

Fixes #40928
Fixes CVE-2020-24553

Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-by: Russ Cox <>
Run-TryBot: Filippo Valsorda <>
TryBot-Result: Go Bot <>
Reviewed-by: Katie Hockman <>
5 files changed
tree: 9aba6fa0d87f10f1cf442a95a6c9e6f1200d28fb
  1. .gitattributes
  2. .github/
  3. .gitignore
  11. api/
  12. doc/
  13. favicon.ico
  14. lib/
  15. misc/
  16. robots.txt
  17. src/
  18. test/

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.

Our canonical Git repository is located at There is a mirror of the repository at

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at

After downloading a binary release, visit or load doc/install.html in your web browser for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit or load doc/install-source.html in your web browser for source installation instructions.


Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines:

Note that the Go project uses the issue tracker for bug reports and proposals only. See for a list of places to ask questions about the Go language.