Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified #40928

Closed
empijei opened this issue Aug 20, 2020 · 6 comments

Comments

@empijei
Copy link
Contributor

@empijei empijei commented Aug 20, 2020

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”.

If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

After the fix, the Content-Type header is set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.

Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue, you can access their advisory at the following address once it's published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

This issue is CVE-2020-24553.

@gopherbot
Copy link

@gopherbot gopherbot commented Sep 1, 2020

Change https://golang.org/cl/252179 mentions this issue: net/http/cgi,net/http/fcgi: add Content-Type detection

Loading

@rtpt-alexanderneumann
Copy link

@rtpt-alexanderneumann rtpt-alexanderneumann commented Sep 2, 2020

Our advisory has been published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

Loading

@toothrot
Copy link
Contributor

@toothrot toothrot commented Sep 10, 2020

Loading

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Sep 10, 2020

Huh. This should have been closed by https://go-review.googlesource.com/c/go/+/252179, which includes Fixes #40928. Apparently our tooling didn't pick it up for some reason.

In any case, this has been resolved.

Loading

@katiehockman
Copy link
Member

@katiehockman katiehockman commented Sep 10, 2020

My bad, that CL hasn't been merged yet. Re-opening.

Loading

@katiehockman katiehockman reopened this Sep 10, 2020
@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Sep 10, 2020

This issue was open because CL 252179 has not been submitted yet. I'll reopen to track that (otherwise we risk shipping Go 1.16 without the fix).

I left a ping comment on the CL.

Loading

@gopherbot gopherbot closed this in 4f5cd0c Sep 14, 2020
@golang golang locked and limited conversation to collaborators Sep 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants