[release-branch.go1.14-security] net/http/cgi,net/http/fcgi: add Content-Type detection - go - Fork of Go programming language with my patches.

diff options

author	Roberto Clapis <roberto@golang.org>	2020-08-26 08:53:03 +0200
committer	Filippo Valsorda <valsorda@google.com>	2020-09-01 12:31:38 +0000
commit	8fcee8abbea1bb959c63a6944f9ddf490a97f802 (patch)
tree	e1ae61d1531695e5c0e770307adaeb7d319d857d /src/database/sql/sql.go
parent	d571a77846dfee8efd076223a882915cd6cb52f4 (diff)
download	go-8fcee8abbea1bb959c63a6944f9ddf490a97f802.tar.xz

[release-branch.go1.14-security] net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI have a Content-Type header based on the content of the response if not explicitly set by handlers. If the implementers of the handler did not explicitly specify a Content-Type both CGI implementations would default to "text/html", potentially causing cross-site scripting. Thanks to RedTeam Pentesting GmbH for reporting this. Fixes CVE-2020-24553 Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 Reviewed-by: Russ Cox <rsc@google.com> (cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835312 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Diffstat (limited to 'src/database/sql/sql.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: