| Age | Commit message (Collapse) | Author |
|---|
|
Close #43624
Change-Id: Ifaea3d8ec2aeabbd923abf5edd7497172dbf855a
GitHub-Last-Rev: ea3ef953a1dbbb07c4554e4062571af716e9505b
GitHub-Pull-Request: golang/go#43803
Reviewed-on: https://go-review.googlesource.com/c/go/+/284778
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
Trust: Robert Findley <rfindley@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.
If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.
Thanks to RedTeam Pentesting GmbH for reporting this.
Fixes #40928
Fixes CVE-2020-24553
Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/252179
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
For server requests, the http.Request Body should not be nil.
Fixes #39190
Change-Id: I32de7b6c0f6ca55008fea9fd86089cda0a2dea62
Reviewed-on: https://go-review.googlesource.com/c/go/+/235137
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
My fault (from CL 4245070), sorry.
Change-Id: Ib95d3170dc326e74aa74c22421c4e44a8b00f577
Reviewed-on: https://go-review.googlesource.com/c/go/+/214920
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
|
