reports: add GO-2021-0226 for CVE-2020-24553
Fixes golang/vulndb#226
Change-Id: I7805dd6bcdc556f9936ac4f4eb5f76f5beca8947
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377617
Trust: Julie Qiu <julie@golang.org>
Run-TryBot: Julie Qiu <julie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2021-0226.yaml b/reports/GO-2021-0226.yaml
new file mode 100644
index 0000000..5e1016e
--- /dev/null
+++ b/reports/GO-2021-0226.yaml
@@ -0,0 +1,31 @@
+module: std
+package: net/http/cgi
+versions:
+- fixed: go1.14.8
+- fixed: go1.15.1
+description: |
+ When a Handler does not explicitly set the Content-Type header, the the
+ package would default to “text/html”, which could cause a Cross-Site Scripting
+ vulnerability if an attacker can control any part of the contents of a
+ response.
+
+ The Content-Type header is now set based on the contents of the first Write
+ using http.DetectContentType, which is consistent with the behavior of the
+ net/http package.
+
+ Although this protects some applications that validate the contents of
+ uploaded files, not setting the Content-Type header explicitly on any
+ attacker-controlled file is unsafe and should be avoided.
+cves:
+- CVE-2020-24553
+credit: RedTeam Pentesting GmbH
+symbols:
+- response.Write
+- response.WriteHeader
+- response.writeCGIHeader
+links:
+ pr: https://go.dev/cl/252179
+ commit: https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
+ context:
+ - https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
+ - https://go.dev/issue/40928
