Skip to content

file.Filename should not be trusted. There should be a sanitize function, or give a warning in docs. #1693

New issue
New issue
Closed
Closed
file.Filename should not be trusted. There should be a sanitize function, or give a warning in docs.#1693
@ganlvtech

Description

@ganlvtech
ganlvtech
opened on Dec 11, 2018
  • go version: 1.11
  • operating system: Windows 10 64bit

Description

gin/examples/upload-file/single/main.go

Line 26 in cce4958

if err := c.SaveUploadedFile(file, file.Filename); err != nil { 

file, _ := c.FormFile("file")
c.SaveUploadedFile(file, file.Filename)

We must not trust user input file.Filename!

Reproduce

First, start examples/upload-file/single/main.go server.

cd ~/go/src/github.com/gin-gonic/gin/examples/upload-file/single
go run main.go

Start a new terminal and upload a file (such as the main.go itself) with cURL.

curl -X POST -F '[email protected]; filename=../main.go' http://127.0.0.1:8080/upload

Then, you will find the uploaded file is at ~/go/src/github.com/gin-gonic/gin/examples/upload-file/main.go. Upload a file to parent dir is really dangerous.

I don't know if it's by design. But I think, at least, there should be a warning asking developers to sanitize the input properly.

Solution

The simplest way may be

import "path/filepath"

file, _ := c.FormFile("file")
filename := filepath.Base(file.Filename)
c.SaveUploadedFile(file, filename)

This will restrict the upload file to current directory.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions