Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified #40928

Closed
empijei opened this issue Aug 20, 2020 · 6 comments

Comments

@empijei
Copy link
Contributor

@empijei empijei commented Aug 20, 2020

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”.

If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

After the fix, the Content-Type header is set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.

Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue, you can access their advisory at the following address once it's published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

This issue is CVE-2020-24553.

@FiloSottile FiloSottile added Security and removed WaitingForInfo labels Sep 1, 2020
@FiloSottile FiloSottile added this to the Go1.16 milestone Sep 1, 2020
@FiloSottile FiloSottile changed the title Taking this issue ID net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified Sep 1, 2020
@dmitshur dmitshur added the NeedsFix label Sep 1, 2020
@gopherbot
Copy link

@gopherbot gopherbot commented Sep 1, 2020

Change https://golang.org/cl/252179 mentions this issue: net/http/cgi,net/http/fcgi: add Content-Type detection

@rtpt-alexanderneumann
Copy link

@rtpt-alexanderneumann rtpt-alexanderneumann commented Sep 2, 2020

Our advisory has been published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

@toothrot
Copy link
Contributor

@toothrot toothrot commented Sep 10, 2020

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Sep 10, 2020

Huh. This should have been closed by https://go-review.googlesource.com/c/go/+/252179, which includes Fixes #40928. Apparently our tooling didn't pick it up for some reason.

In any case, this has been resolved.

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Sep 10, 2020

My bad, that CL hasn't been merged yet. Re-opening.

@katiehockman katiehockman reopened this Sep 10, 2020
@dmitshur
Copy link
Member

@dmitshur dmitshur commented Sep 10, 2020

This issue was open because CL 252179 has not been submitted yet. I'll reopen to track that (otherwise we risk shipping Go 1.16 without the fix).

I left a ping comment on the CL.

@gopherbot gopherbot closed this in 4f5cd0c Sep 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.