go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-02-02 15:30:36 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

context.UploadFormFiles: security fix

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2020-12-27 13:23:14 +02:00
parent e2b481dea1
commit 8fef8fd04c
No known key found for this signature in database
GPG Key ID: 5DBE766BD26A54E7
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -9,7 +9,7 @@
## 🎅
Let me take this opportunity to thank you for all your faith and dedication to the Iris Open Source Project. We have achieved so many things together. Hope your bond lasts forever! **Merry Christmas🌳**
Let me take this opportunity to thank you for all your faith and dedication to the Iris Open Source Project. We have achieved so many things together. Hope your bond lasts forever! **Merry Christmas🎄**
<!-- ![](https://iris-go.com/images/release.png) Iris version **12.1.8** has been [released](HISTORY.md#su-16-february-2020--v1218)! -->

7
context/context.go
View File

@ -1974,6 +1974,13 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
for _, files := range fhs {
innerLoop:
for _, file := range files {
// Fix an issue that net/http has,
// an attacker can push a filename
// which could lead to override existing system files
// by ../../$file.
// Reported by Frank through security reports.
file.Filename = strings.TrimLeft(file.Filename, "../")
file.Filename = strings.TrimLeft(file.Filename, "..\\")
for _, b := range before {
if !b(ctx, file) {