From 8fef8fd04c785f9a976e5ce325fd751f90eb92b2 Mon Sep 17 00:00:00 2001
From: "Gerasimos (Makis) Maropoulos" <kataras2006@hotmail.com>
Date: Sun, 27 Dec 2020 13:23:14 +0200
Subject: [PATCH] context.UploadFormFiles: security fix

---
 README.md          | 2 +-
 context/context.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6dba82fa..53010c35 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
 
 ## 🎅
 
-Let me take this opportunity to thank you for all your faith and dedication to the Iris Open Source Project. We have achieved so many things together. Hope your bond lasts forever! **Merry Christmas🌳**
+Let me take this opportunity to thank you for all your faith and dedication to the Iris Open Source Project. We have achieved so many things together. Hope your bond lasts forever! **Merry Christmas🎄**
 
 <!-- ![](https://iris-go.com/images/release.png) Iris version **12.1.8** has been [released](HISTORY.md#su-16-february-2020--v1218)! -->
 
diff --git a/context/context.go b/context/context.go
index b5e139b2..efedee3f 100644
--- a/context/context.go
+++ b/context/context.go
@@ -1974,6 +1974,13 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
 			for _, files := range fhs {
 			innerLoop:
 				for _, file := range files {
+					// Fix an issue that net/http has,
+					// an attacker can push a filename
+					// which could lead to override existing system files
+					// by ../../$file.
+					// Reported by Frank through security reports.
+					file.Filename = strings.TrimLeft(file.Filename, "../")
+					file.Filename = strings.TrimLeft(file.Filename, "..\\")
 
 					for _, b := range before {
 						if !b(ctx, file) {