net/http/cgi,net/http/fcgi: add Content-Type detection - go - Fork of Go programming language with my patches.

diff options

author	Roberto Clapis <roberto@golang.org>	2020-08-26 08:53:03 +0200
committer	Filippo Valsorda <filippo@golang.org>	2020-09-14 15:42:03 +0000
commit	4f5cd0c0331943c7ec72df3b827d972584f77833 (patch)
tree	9aba6fa0d87f10f1cf442a95a6c9e6f1200d28fb /src/cmd/api
parent	66e66e71132034aa620ffbae9008f951da0f9f27 (diff)
download	go-4f5cd0c0331943c7ec72df3b827d972584f77833.tar.xz

net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI have a Content-Type header based on the content of the response if not explicitly set by handlers. If the implementers of the handler did not explicitly specify a Content-Type both CGI implementations would default to "text/html", potentially causing cross-site scripting. Thanks to RedTeam Pentesting GmbH for reporting this. Fixes #40928 Fixes CVE-2020-24553 Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/252179 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>

Diffstat (limited to 'src/cmd/api')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: