mirror of
https://github.com/golang/go
synced 2024-11-18 08:54:45 -07:00
net/http: set nosniff header when serving Error
The Error function is a potential XSS vector if a user can control the error message. For example, an http.FileServer when given a request for this path /<script>alert("xss!")</script> may return a response with a body like this open <script>alert("xss!")</script>: no such file or directory Browsers that sniff the content may interpret this as HTML and execute the script. The nosniff header added by this CL should help, but we should also try santizing the output entirely. Change-Id: I447f701531329a2fc8ffee2df2f8fa69d546f893 Reviewed-on: https://go-review.googlesource.com/10640 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
parent
70cf7352b4
commit
321663197e
@ -1326,6 +1326,7 @@ func (f HandlerFunc) ServeHTTP(w ResponseWriter, r *Request) {
|
||||
// The error message should be plain text.
|
||||
func Error(w ResponseWriter, error string, code int) {
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.WriteHeader(code)
|
||||
fmt.Fprintln(w, error)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user