blob: bec90777005cf7403bcca92ad86233df427f481a [file] [log] [blame]
module: std
package: net/http/cgi
versions:
- fixed: go1.14.8
- fixed: go1.15.1
description: |
When a Handler does not explicitly set the Content-Type header, the the
package would default to “text/html”, which could cause a Cross-Site Scripting
vulnerability if an attacker can control any part of the contents of a
response.
The Content-Type header is now set based on the contents of the first Write
using http.DetectContentType, which is consistent with the behavior of the
net/http package.
Although this protects some applications that validate the contents of
uploaded files, not setting the Content-Type header explicitly on any
attacker-controlled file is unsafe and should be avoided.
cves:
- CVE-2020-24553
credit: RedTeam Pentesting GmbH
symbols:
- response.Write
- response.WriteHeader
- response.writeCGIHeader
links:
pr: https://go.dev/cl/252179
commit: https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
context:
- https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
- https://go.dev/issue/40928