Hi gophers, We have just released Go 1.15.1 and Go 1.14.8 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.15.1).
When a Handler does not explicitly set the Content-Type header, the net/http/cgi <https://pkg.go.dev/net/http/cgi?tab=doc> and net/http/fcgi <https://pkg.go.dev/net/http/fcgi?tab=doc> packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType <https://golang.org/pkg/net/http/#DetectContentType>, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided. Thanks to RedTeam Pentesting GmbH for reporting this issue. This issue is CVE-2020-24553 and Go issue golang.org/issue/40928. Downloads are available at https://golang.org/dl for all supported platforms. Thank you, Filippo and Roberto on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CA%2B2K_KpCczYrdegbbZbMxVXL%3DY7yw-bpu%3DGwX93NCar31hiEvQ%40mail.gmail.com.
