Vulnerability Report: GO-2021-0226
- CVE-2020-24553
- Affects: net/http/cgi, net/http/fcgi
- Published: Jan 13, 2022
- Modified: Jun 12, 2023
When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.
Affected Packages
-
PathVersionsSymbols
-
before go1.14.8, from go1.15.0-0 before go1.15.1all symbols
-
before go1.14.8, from go1.15.0-0 before go1.15.1all symbols
Aliases
References
- https://go.dev/cl/252179
- https://go.googlesource.com/go/+/4f5cd0c0331943c7ec72df3b827d972584f77833
- https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
- https://go.dev/issue/40928
- https://vuln.go.dev/ID/GO-2021-0226.json
Credits
- RedTeam Pentesting GmbH
Feedback
See anything missing or incorrect?
Suggest an edit to this report.