Vulnerability Report: GO-2021-0226

standard library
  • CVE-2020-24553
  • Affects: net/http/cgi, net/http/fcgi
  • Published: Jan 13, 2022
  • Modified: May 20, 2024

When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Affected Packages

  • Path
    Go Versions
    Symbols
  • net/http/cgi
    before go1.14.8, from go1.15.0-0 before go1.15.1
    3 unexported affected symbols
    • response.Write
    • response.WriteHeader
    • response.writeCGIHeader
  • net/http/fcgi
    before go1.14.8, from go1.15.0-0 before go1.15.1
    3 unexported affected symbols
    • response.Write
    • response.WriteHeader
    • response.writeCGIHeader

Aliases

References

Credits

  • RedTeam Pentesting GmbH

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.