Bug ID: 1176031
Summary: (CVE-2020-24553) VUL-0: CVE-2020-24553: go
net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS)
when Content-Type is not specified
Product: openSUSE Tumbleweed
Priority: P5 - None
QA Contact: qa-bugs(a)suse.de
Found By: ---
Go 1.15.1 and Go 1.14.8 address a recently reported security issue:
When a Handler does not explicitly set the Content-Type header, the
net/http/cgi and net/http/fcgi packages would default to “text/html”, which
could cause a Cross-Site Scripting vulnerability if an attacker can control any
part of the contents of a response.
The Content-Type header is now set based on the contents of the first Write
using http.DetectContentType, which is consistent with the behavior of the
Although this protects some applications that validate the contents of uploaded
files, not setting the Content-Type header explicitly on any
attacker-controlled file is unsafe and should be avoided.
This issue is CVE-2020-24553 and Go issue
You are receiving this mail because:
You are on the CC list for the bug.