go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-02-02 15:30:36 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

minor

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2023-11-04 00:48:09 +02:00
parent 4d13ff3622
commit b12965b050
No known key found for this signature in database
GPG Key ID: B9839E9CD30B7B6B
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
_examples/file-server/upload-files/main.go
View File

@ -49,7 +49,11 @@ func newApp() *iris.Application {
// it can be used to change a file's name based on the request, // it can be used to change a file's name based on the request,
// at this example we will showcase how to use it // at this example we will showcase how to use it
// by prefixing the uploaded file with the current user's ip. // by prefixing the uploaded file with the current user's ip.
ctx.UploadFormFiles("./uploads", beforeSave) _, _, err := ctx.UploadFormFiles("./uploads", beforeSave)
if err != nil {
ctx.StopWithError(iris.StatusBadRequest, err)
return
}
}) })
app.Post("/upload_manual", func(ctx iris.Context) { app.Post("/upload_manual", func(ctx iris.Context) {
@ -96,6 +100,7 @@ func beforeSave(ctx iris.Context, file *multipart.FileHeader) bool {
return true // don't change the file but continue saving it. return true // don't change the file but continue saving it.
} }
file.Filename = ip + "-" + file.Filename _ = ip
// file.Filename = ip + "-" + file.Filename
return true return true
} }

17
context/context.go
View File

@ -2456,23 +2456,26 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
destPath := filepath.Join(destDirectory, filename) destPath := filepath.Join(destDirectory, filename)
// Get the canonical path of the destination // Get the canonical path of the destination
canonicalDestPath, err := filepath.EvalSymlinks(destPath) // canonicalDestPath, err := filepath.EvalSymlinks(destPath)
if err != nil { // if err != nil {
return nil, 0, err // return nil, 0, fmt.Errorf("dest path: %s: eval symlinks: %w", destPath, err)
} // }
// ^ No, it will try to find the file before uploaded.
// Get the canonical path of the destination directory. // Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(destDirectory) canonicalDestDir, err := filepath.EvalSymlinks(destDirectory) // the destDirectory should exists.
if err != nil { if err != nil {
return nil, 0, err return nil, 0, fmt.Errorf("dest directory: %s: eval symlinks: %w", destDirectory, err)
} }
// Check if the destination path is within the destination directory. // Check if the destination path is within the destination directory.
if !strings.HasPrefix(canonicalDestPath, canonicalDestDir) { if !strings.HasPrefix(destPath, canonicalDestDir) {
// Reject the input as it is a path traversal attempt. // Reject the input as it is a path traversal attempt.
continue innerLoop continue innerLoop
} }
file.Filename = filename
n0, err0 := ctx.SaveFormFile(file, destPath) n0, err0 := ctx.SaveFormFile(file, destPath)
if err0 != nil { if err0 != nil {
return nil, 0, err0 return nil, 0, err0