Merge branch 'master' into master

2026-02-07 11:16:00 +00:00 · 2021-01-09 03:37:54 +02:00
parent 8ab500bd6c cd1f82a08f
commit 387eac8672
43 changed files with 747 additions and 478 deletions
--- a/context/configuration.go
+++ b/context/configuration.go
@@ -53,6 +53,8 @@ type ConfigurationReadOnly interface {
 	GetLanguageInputContextKey() string
 	// GetVersionContextKey returns the VersionContextKey field.
 	GetVersionContextKey() string
+	// GetVersionAliasesContextKey returns the VersionAliasesContextKey field.
+	GetVersionAliasesContextKey() string

 	// GetViewEngineContextKey returns the ViewEngineContextKey field.
 	GetViewEngineContextKey() string
--- a/context/context.go
+++ b/context/context.go
@@ -1974,6 +1974,13 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
 			for _, files := range fhs {
 			innerLoop:
 				for _, file := range files {
+					// Fix an issue that net/http has,
+					// an attacker can push a filename
+					// which could lead to override existing system files
+					// by ../../$file.
+					// Reported by Frank through security reports.
+					file.Filename = strings.TrimLeft(file.Filename, "../")
+					file.Filename = strings.TrimLeft(file.Filename, "..\\")

 					for _, b := range before {
 						if !b(ctx, file) {
--- a/context/context_user.go
+++ b/context/context_user.go
@@ -81,15 +81,15 @@ to the end-developer's custom implementations.

 // SimpleUser is a simple implementation of the User interface.
 type SimpleUser struct {
-	Authorization string          `json:"authorization,omitempty"`
-	AuthorizedAt  time.Time       `json:"authorized_at,omitempty"`
-	ID            string          `json:"id,omitempty"`
-	Username      string          `json:"username,omitempty"`
-	Password      string          `json:"password,omitempty"`
-	Email         string          `json:"email,omitempty"`
-	Roles         []string        `json:"roles,omitempty"`
-	Token         json.RawMessage `json:"token,omitempty"`
-	Fields        Map             `json:"fields,omitempty"`
+	Authorization string          `json:"authorization,omitempty" db:"authorization"`
+	AuthorizedAt  time.Time       `json:"authorized_at,omitempty" db:"authorized_at"`
+	ID            string          `json:"id,omitempty" db:"id"`
+	Username      string          `json:"username,omitempty" db:"username"`
+	Password      string          `json:"password,omitempty" db:"password"`
+	Email         string          `json:"email,omitempty" db:"email"`
+	Roles         []string        `json:"roles,omitempty" db:"roles"`
+	Token         json.RawMessage `json:"token,omitempty" db:"token"`
+	Fields        Map             `json:"fields,omitempty" db:"fields"`
 }

 var _ User = (*SimpleUser)(nil)
--- a/context/handler.go
+++ b/context/handler.go
@@ -239,6 +239,10 @@ var ignoreMainHandlerNames = [...]string{
 	"iris.reCAPTCHA",
 	"iris.profiling",
 	"iris.recover",
+	"iris.accesslog",
+	"iris.grpc",
+	"iris.requestid",
+	"iris.rewrite",
 }

 // ingoreMainHandlerName reports whether a main handler of "name" should
--- a/context/route.go
+++ b/context/route.go
@@ -62,6 +62,10 @@ type RouteReadOnly interface {
 	// MainHandlerIndex returns the first registered handler's index for the route.
 	MainHandlerIndex() int

+	// Property returns a specific property based on its "key"
+	// of this route's Party owner.
+	Property(key string) (interface{}, bool)
+
 	// Sitemap properties: https://www.sitemaps.org/protocol.html

 	// GetLastMod returns the date of last modification of the file served by this route.