Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified #40928
When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”.
If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.
After the fix, the Content-Type header is set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.
Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.
Thanks to RedTeam Pentesting GmbH for reporting this issue, you can access their advisory at the following address once it's published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004
This issue is CVE-2020-24553.