v2.18.0

🔐 Security fix 🔐

This release fixes a reflected XSS vulnerability (GHSA-528q-4pgm-wvg2) in the following endpoints:

• /base64/{payload} and /base64/decode/{payload}
• /response-headers

When a request to any of those endpoints included a content-type query parameter set to a dangerous value (e.g. ?content-type=text/html).

Warning

Potential Breaking Change

The affected endpoints now HTML-escape their response bodies only if the incoming request explicitly overrides the known-safe content types. The default behavior is unchanged.

If a go-httpbin deployment depends on the previous, vulnerable behavior and reflected XSS is either not a concern or there are other mitigations in place, the previous behavior may be re-enabled via the -unsafe-allow-dangerous-responses/UNSAFE_ALLOW_DANGEROUS_RESPONSES=1 configuration options.

Important

The publicly available go-httpbin instance at https://httpbingo.org has been updated and is no longer vulnerable. All users are encouraged to upgrade to v2.18.0.

🙌 Thanks 🙌

Many thanks to @AyushXtha for responsibly reporting the vulnerability (GHSA-528q-4pgm-wvg2) according to go-httpbin's security policy and collaborating on the fix!

What's Changed

• doc: document ghcr as alternative to docker hub by @mccutchen in #202
• fix(compat): /range supports duration parameter by @mccutchen in #203
• docs: add security policy by @mccutchen in #204
• chore: update and appease linters by @mccutchen in #205
• fix(security): prevent reflected XSS in /response-headers and /base64 endpoints by @mccutchen in 0decfd1

Full Changelog: v2.17.1...v2.18.0