|author||Roberto Clapis <email@example.com>||Wed Aug 26 08:53:03 2020 +0200|
|committer||Filippo Valsorda <firstname.lastname@example.org>||Mon Sep 14 15:42:03 2020 +0000|
net/http/cgi,net/http/fcgi: add Content-Type detection This CL ensures that responses served via CGI and FastCGI have a Content-Type header based on the content of the response if not explicitly set by handlers. If the implementers of the handler did not explicitly specify a Content-Type both CGI implementations would default to "text/html", potentially causing cross-site scripting. Thanks to RedTeam Pentesting GmbH for reporting this. Fixes #40928 Fixes CVE-2020-24553 Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 Reviewed-by: Russ Cox <email@example.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/252179 Run-TryBot: Filippo Valsorda <firstname.lastname@example.org> TryBot-Result: Go Bot <email@example.com> Reviewed-by: Katie Hockman <firstname.lastname@example.org>
Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Official binary distributions are available at https://golang.org/dl/.
If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source or load doc/install-source.html in your web browser for source installation instructions.
Go is the work of thousands of contributors. We appreciate your help!
To contribute, please read the contribution guidelines: https://golang.org/doc/contribute.html
Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.