May 31, 2021 Article blog
Go Team
released
Go 1.15.1
and
Go 1.14.8
to address recently reported security issues.
It is recommended that all affected users update to one of the following versions (select Go 1.15.1 if you are not sure which version).
If the handler does not explicitly set
Content-Type
response header,
net/http/cgi
and
net/http/fcgi
packages are set to "text/html" by default, which can lead to cross-site scripting vulnerabilities if an attacker can control the content of the response.
Now modify it to follow the content of the first Write through
http.DetectContentType
sets the
Content-Type
response header, which is consistent with the behavior of the
net/http
package.
While this protects some applications that validate the contents of uploaded files, it is not safe to explicitly set the
Content-Type
response header on any file controlled by an attacker and should be avoided.
That is, you should always explicitly set the
Content-Type
response header.
RedTeam Pentesting GmbH reports this issue. This issue is CVE-2020-24553, see: github.com/golang/go/issues/40928