aboutsummaryrefslogtreecommitdiff
path: root/src/net/http/cgi/child_test.go
AgeCommit message (Collapse)Author
2025-11-13net/http/cgi: accept INCLUDED as protocol for server side includesPeter Beard
The existing protocol check for fcgi/cgi requests did not properly account for Apache SSI (Server-Side Includes) SERVER_PROTOCOL value of INCLUDED. Added check for well-known INCLUDED value for proper implementation of the CGI Spec as specified in RFC 3875 - section 4.1.16. The SERVER_PROTOCOL section of the specification is outlined at https://www.rfc-editor.org/rfc/rfc3875.html#section-4.1.16 Fixes #70416 Change-Id: I129e606147e16d1daefb49ed6c13a561a88ddeb6 Reviewed-on: https://go-review.googlesource.com/c/go/+/715680 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: Sean Liao <sean@liao.dev> Auto-Submit: Sean Liao <sean@liao.dev>
2020-09-14net/http/cgi,net/http/fcgi: add Content-Type detectionRoberto Clapis
This CL ensures that responses served via CGI and FastCGI have a Content-Type header based on the content of the response if not explicitly set by handlers. If the implementers of the handler did not explicitly specify a Content-Type both CGI implementations would default to "text/html", potentially causing cross-site scripting. Thanks to RedTeam Pentesting GmbH for reporting this. Fixes #40928 Fixes CVE-2020-24553 Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/252179 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
2014-12-23net/http/cgi: Correctly pass down the REMOTE_PORT value for CGI requests.George Shammas
Currently when we get a CGI or FCGI request, the remote port of the client is hard coded to zero, despite nearly every webserver passing down the REMOTE_PORT variable. This was likely originally excluded because the CGI RFC (rfc3875) does not mention anything about the remote port of the client. However every webserver tested does pass REMOTE_PORT down. This includes Apache 2.2, Apache 2.4, nginx and lighttpd. Fixes #8351 Change-Id: I4c6366cb39f0ccc05e038bd31d85f93b76e8d0c8 Reviewed-on: https://go-review.googlesource.com/1750 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2014-09-08build: move package sources from src/pkg to srcRuss Cox
Preparation was in CL 134570043. This CL contains only the effect of 'hg mv src/pkg/* src'. For more about the move, see golang.org/s/go14nopkg.
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 23:59:13 +0000