net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

[empijei]

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”.

If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

After the fix, the Content-Type header is set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.

Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue, you can access their advisory at the following address once it's published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

This issue is CVE-2020-24553.

[gopherbot]

Change https://golang.org/cl/252179 mentions this issue: net/http/cgi,net/http/fcgi: add Content-Type detection

[rtpt-alexanderneumann]

Our advisory has been published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

[toothrot]

/cc @FiloSottile @katiehockman @empijei

[katiehockman]

Huh. This should have been closed by https://go-review.googlesource.com/c/go/+/252179, which includes Fixes #40928. Apparently our tooling didn't pick it up for some reason.

In any case, this has been resolved.

[katiehockman]

My bad, that CL hasn't been merged yet. Re-opening.

[dmitshur]

This issue was open because CL 252179 has not been submitted yet. I'll reopen to track that (otherwise we risk shipping Go 1.16 without the fix).

I left a ping comment on the CL.