go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-02-02 07:20:35 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

minor

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2023-11-04 00:48:09 +02:00
parent 4d13ff3622
commit b12965b050
No known key found for this signature in database
GPG Key ID: B9839E9CD30B7B6B
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
_examples/file-server/upload-files/main.go
View File

@ -49,7 +49,11 @@ func newApp() *iris.Application {
// it can be used to change a file's name based on the request,
// at this example we will showcase how to use it
// by prefixing the uploaded file with the current user's ip.
ctx.UploadFormFiles("./uploads", beforeSave)
_, _, err := ctx.UploadFormFiles("./uploads", beforeSave)
if err != nil {
ctx.StopWithError(iris.StatusBadRequest, err)
return
}
})
app.Post("/upload_manual", func(ctx iris.Context) {
@ -96,6 +100,7 @@ func beforeSave(ctx iris.Context, file *multipart.FileHeader) bool {
return true // don't change the file but continue saving it.
}
file.Filename = ip + "-" + file.Filename
_ = ip
// file.Filename = ip + "-" + file.Filename
return true
}

17
context/context.go
View File

@ -2456,23 +2456,26 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
destPath := filepath.Join(destDirectory, filename)
// Get the canonical path of the destination
canonicalDestPath, err := filepath.EvalSymlinks(destPath)
if err != nil {
return nil, 0, err
}
// canonicalDestPath, err := filepath.EvalSymlinks(destPath)
// if err != nil {
// return nil, 0, fmt.Errorf("dest path: %s: eval symlinks: %w", destPath, err)
// }
// ^ No, it will try to find the file before uploaded.
// Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(destDirectory)
canonicalDestDir, err := filepath.EvalSymlinks(destDirectory) // the destDirectory should exists.
if err != nil {
return nil, 0, err
return nil, 0, fmt.Errorf("dest directory: %s: eval symlinks: %w", destDirectory, err)
}
// Check if the destination path is within the destination directory.
if !strings.HasPrefix(canonicalDestPath, canonicalDestDir) {
if !strings.HasPrefix(destPath, canonicalDestDir) {
// Reject the input as it is a path traversal attempt.
continue innerLoop
}
file.Filename = filename
n0, err0 := ctx.SaveFormFile(file, destPath)
if err0 != nil {
return nil, 0, err0