Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a rule to check if Content-Type is not explicitly set using Header().Set() #525

Open
sanAnand opened this issue Sep 4, 2020 · 1 comment
Open

Add a rule to check if Content-Type is not explicitly set using Header().Set() #525

sanAnand opened this issue Sep 4, 2020 · 1 comment
Labels
help wanted rule

Comments

@sanAnand
Copy link

sanAnand commented Sep 4, 2020
edited

Summary

As described by CVE-2020-24553 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553) , there's a possibility of the default content-type being set to text/html CGI/FCGI handlers. It would be helpful to have a rule which calls out Responsewriters which do not explicitly set content-type to appropriate content type

Steps to reproduce the behavior

Details provided in this blog: https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting

gosec version

Per advisory, affected versions are: <= 1.14.7, 1.15

Go version (output of 'go version')

Operating system / Environment

Expected behavior

Actual behavior
@capitanu
Copy link
Contributor

Hi! 👋

Is anyone working on this issue or could I take on it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ccojocar @sanAnand @capitanu