You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As described by CVE-2020-24553 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553) , there's a possibility of the default content-type being set to text/html CGI/FCGI handlers. It would be helpful to have a rule which calls out Responsewriters which do not explicitly set content-type to appropriate content type
Summary
As described by CVE-2020-24553 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553) , there's a possibility of the default content-type being set to text/html CGI/FCGI handlers. It would be helpful to have a rule which calls out Responsewriters which do not explicitly set content-type to appropriate content type
Steps to reproduce the behavior
Details provided in this blog: https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting
gosec version
Per advisory, affected versions are: <= 1.14.7, 1.15
Go version (output of 'go version')
Operating system / Environment
Expected behavior
Actual behavior
The text was updated successfully, but these errors were encountered: