go-fedora

Clone
Source Code
GIT

703bb6a [release-branch.go1.9] net/http/pprof: harden handler responses

Authored and Committed by Andrew Bonventre 6 years ago
raw patch tree parent
2 files changed. 98 lines added. 23 lines removed.
src/net/http/pprof/pprof.go
file modified
+29 -23
src/net/http/pprof/pprof_test.go
file added
+69 
    [release-branch.go1.9] net/http/pprof: harden handler responses
    
    A very small number of old browsers consider content as HTML
    even when it is explicitly stated in the Content-Type header
    that it is not. If content served is based on user-supplied
    input, then an XSS is possible. Introduce three mitigations:
    
    + Don't reflect user input in error strings
    + Set a Content-Disposition header when requesting a resource
      that should never be displayed in a browser window
    + Set X-Content-Type-Options: nosniff on all responses
    
    Change-Id: I81c9d6736e0439ebd1db99cd7fb701cc56d24805
    Reviewed-on: https://go-review.googlesource.com/102318
    Run-TryBot: Andrew Bonventre <andybons@golang.org>
    Reviewed-by: Filippo Valsorda <filippo@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-on: https://go-review.googlesource.com/103164
    Reviewed-by: Andrew Bonventre <andybons@golang.org>
file modified
+29 -23
file added
+69
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.