mirror of
https://github.com/kataras/iris.git
synced 2025-01-23 10:41:03 +01:00
security fix
This commit is contained in:
parent
25ad31be50
commit
e213dba0d3
|
@ -28,6 +28,8 @@ The codebase for Dependency Injection, Internationalization and localization and
|
|||
|
||||
## Fixes and Improvements
|
||||
|
||||
- Push a security fix reported by [Kirill Efimov](https://github.com/kirill89) for older go runtimes.
|
||||
|
||||
- New `Configuration.Timeout` and `Configuration.TimeoutMessage` fields. Use it to set HTTP timeouts. Note that your http server's (`Application.ConfigureHost`) Read/Write timeouts should be a bit higher than the `Configuration.Timeout` in order to give some time to http timeout handler to kick in and be able to send the `Configuration.TimeoutMessage` properly.
|
||||
|
||||
- New `apps.OnApplicationRegistered` method which listens on new Iris applications hosted under the same binary. Use it on your `init` functions to configure Iris applications by any spot in your project's files.
|
||||
|
|
|
@ -2032,13 +2032,7 @@ func (ctx *Context) FormFiles(key string, before ...func(*Context, *multipart.Fi
|
|||
|
||||
innerLoop:
|
||||
for _, header := range fhs[key] {
|
||||
// Fix an issue that net/http has,
|
||||
// an attacker can push a filename
|
||||
// which could lead to override existing system files
|
||||
// by ../../$header.
|
||||
// Reported by Frank through security reports.
|
||||
header.Filename = strings.ReplaceAll(header.Filename, "../", "")
|
||||
header.Filename = strings.ReplaceAll(header.Filename, "..\\", "")
|
||||
header.Filename = filepath.Base(header.Filename)
|
||||
|
||||
for _, b := range before {
|
||||
if !b(ctx, header) {
|
||||
|
@ -2100,13 +2094,9 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
|
|||
for _, files := range fhs {
|
||||
innerLoop:
|
||||
for _, file := range files {
|
||||
// Fix an issue that net/http has,
|
||||
// an attacker can push a filename
|
||||
// which could lead to override existing system files
|
||||
// by ../../$file.
|
||||
// Reported by Frank through security reports.
|
||||
file.Filename = strings.ReplaceAll(file.Filename, "../", "")
|
||||
file.Filename = strings.ReplaceAll(file.Filename, "..\\", "")
|
||||
// Security fix for go < 1.17.5:
|
||||
// Reported by Kirill Efimov (snyk.io) through security reports.
|
||||
file.Filename = filepath.Base(file.Filename)
|
||||
|
||||
for _, b := range before {
|
||||
if !b(ctx, file) {
|
||||
|
|
Loading…
Reference in New Issue
Block a user