Import blacklist: net/http/cgi GSC-G504
Security
Major
a03
a06
cwe-327
sans top 25
owasp top 10
Use of net/http/cgi is considered vulnerable in versions of Go lower than
1.15.1
When a Handler does not explicitly set the Content-Type header, the
net/http/cgi and net/http/fcgi packages would default to text/html,
which could cause a Cross-Site Scripting vulnerability if an attacker can
control any part of the contents of a response.
The vulnerability could be avoided by:
- Using Go 1.15.1 or Go 1.14.8 (backported security patch)
- Avoid the use of
net/http/cgipackage
Bad practice
package main
import (
"net/http/cgi"
"net/http"
)
func main() {
cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
}