podinfo

github/podinfo

Fork 0

mirror of https://github.com/stefanprodan/podinfo.git synced 2026-05-23 09:52:46 +00:00

Commit Graph

Author	SHA1	Message	Date
Stefan Prodan	620b9b7e2c	Fix path traversal in /store endpoint Validate that the hash URL parameter matches the expected SHA1 hex format (40 lowercase hex characters) before using it in file path operations. Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>	2026-03-14 15:02:25 +02:00
Stefan Prodan	550ee9f7b9	Fix stored XSS in /store endpoint (CVE-2025-70849) Set Content-Type to application/octet-stream in storeReadHandler to prevent Go's content sniffing from serving HTML payloads as text/html. Add X-Content-Type-Options: nosniff to prevent browsers from overriding Content-Type via MIME sniffing, and Content-Security-Policy: default-src 'none' to block script execution as defense-in-depth. Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>	2026-03-14 14:40:55 +02:00

Author

SHA1

Message

Date

Stefan Prodan

620b9b7e2c

Fix path traversal in /store endpoint

Validate that the hash URL parameter matches the expected SHA1 hex
format (40 lowercase hex characters) before using it in file path
operations.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

2026-03-14 15:02:25 +02:00

Stefan Prodan

550ee9f7b9

Fix stored XSS in /store endpoint (CVE-2025-70849)

Set Content-Type to application/octet-stream in storeReadHandler
to prevent Go's content sniffing from serving HTML payloads as
text/html. Add X-Content-Type-Options: nosniff to prevent browsers
from overriding Content-Type via MIME sniffing, and
Content-Security-Policy: default-src 'none' to block script
execution as defense-in-depth.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

2026-03-14 14:40:55 +02:00

2 Commits