Commit 4f5cd0c0 authored by Roberto Clapis's avatar Roberto Clapis Committed by Filippo Valsorda
Browse files

net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.

If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.

Thanks to RedTeam Pentesting GmbH for reporting this.

Fixes #40928
Fixes CVE-2020-24553

Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217


Reviewed-by: default avatarRuss Cox <rsc@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/252179


Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: default avatarKatie Hockman <katie@golang.org>
parent 66e66e71
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment