Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified #40928

Closed
empijei opened this issue Aug 20, 2020 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@empijei
Copy link
Contributor

empijei commented Aug 20, 2020

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”.

If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

After the fix, the Content-Type header is set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.

Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue, you can access their advisory at the following address once it's published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

This issue is CVE-2020-24553.

@dmitshur dmitshur added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Aug 21, 2020
@FiloSottile FiloSottile added Security and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Sep 1, 2020
@FiloSottile FiloSottile added this to the Go1.16 milestone Sep 1, 2020
@FiloSottile FiloSottile changed the title Taking this issue ID net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified Sep 1, 2020
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 1, 2020
@gopherbot
Copy link

gopherbot commented Sep 1, 2020

Change https://golang.org/cl/252179 mentions this issue: net/http/cgi,net/http/fcgi: add Content-Type detection

@rtpt-alexanderneumann
Copy link

rtpt-alexanderneumann commented Sep 2, 2020

Our advisory has been published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

@toothrot
Copy link
Contributor

toothrot commented Sep 10, 2020

/cc @FiloSottile @katiehockman @empijei

@katiehockman
Copy link
Contributor

katiehockman commented Sep 10, 2020

Huh. This should have been closed by https://go-review.googlesource.com/c/go/+/252179, which includes Fixes #40928. Apparently our tooling didn't pick it up for some reason.

In any case, this has been resolved.

@katiehockman
Copy link
Contributor

katiehockman commented Sep 10, 2020

My bad, that CL hasn't been merged yet. Re-opening.

@katiehockman katiehockman reopened this Sep 10, 2020
@dmitshur
Copy link
Contributor

dmitshur commented Sep 10, 2020

This issue was open because CL 252179 has not been submitted yet. I'll reopen to track that (otherwise we risk shipping Go 1.16 without the fix).

I left a ping comment on the CL.

@golang golang locked and limited conversation to collaborators Sep 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

7 participants