From e213dba0d32ff66653e0ef124bc5088817264b08 Mon Sep 17 00:00:00 2001 From: "Gerasimos (Makis) Maropoulos" Date: Thu, 23 Dec 2021 22:05:26 +0200 Subject: [PATCH] security fix --- HISTORY.md | 2 ++ context/context.go | 18 ++++-------------- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 32b8d87c..7f49e93e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -28,6 +28,8 @@ The codebase for Dependency Injection, Internationalization and localization and ## Fixes and Improvements +- Push a security fix reported by [Kirill Efimov](https://github.com/kirill89) for older go runtimes. + - New `Configuration.Timeout` and `Configuration.TimeoutMessage` fields. Use it to set HTTP timeouts. Note that your http server's (`Application.ConfigureHost`) Read/Write timeouts should be a bit higher than the `Configuration.Timeout` in order to give some time to http timeout handler to kick in and be able to send the `Configuration.TimeoutMessage` properly. - New `apps.OnApplicationRegistered` method which listens on new Iris applications hosted under the same binary. Use it on your `init` functions to configure Iris applications by any spot in your project's files. diff --git a/context/context.go b/context/context.go index 1b4e43c7..28fa9ae8 100644 --- a/context/context.go +++ b/context/context.go @@ -2032,13 +2032,7 @@ func (ctx *Context) FormFiles(key string, before ...func(*Context, *multipart.Fi innerLoop: for _, header := range fhs[key] { - // Fix an issue that net/http has, - // an attacker can push a filename - // which could lead to override existing system files - // by ../../$header. - // Reported by Frank through security reports. - header.Filename = strings.ReplaceAll(header.Filename, "../", "") - header.Filename = strings.ReplaceAll(header.Filename, "..\\", "") + header.Filename = filepath.Base(header.Filename) for _, b := range before { if !b(ctx, header) { @@ -2100,13 +2094,9 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex for _, files := range fhs { innerLoop: for _, file := range files { - // Fix an issue that net/http has, - // an attacker can push a filename - // which could lead to override existing system files - // by ../../$file. - // Reported by Frank through security reports. - file.Filename = strings.ReplaceAll(file.Filename, "../", "") - file.Filename = strings.ReplaceAll(file.Filename, "..\\", "") + // Security fix for go < 1.17.5: + // Reported by Kirill Efimov (snyk.io) through security reports. + file.Filename = filepath.Base(file.Filename) for _, b := range before { if !b(ctx, file) {