context.UploadFormFiles: security fix

2025-12-26 06:17:03 +00:00 · 2020-12-27 13:23:14 +02:00
parent e2b481dea1
commit 8fef8fd04c
2 changed files with 8 additions and 1 deletions
--- a/context/context.go
+++ b/context/context.go
@@ -1974,6 +1974,13 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
 			for _, files := range fhs {
 			innerLoop:
 				for _, file := range files {
+					// Fix an issue that net/http has,
+					// an attacker can push a filename
+					// which could lead to override existing system files
+					// by ../../$file.
+					// Reported by Frank through security reports.
+					file.Filename = strings.TrimLeft(file.Filename, "../")
+					file.Filename = strings.TrimLeft(file.Filename, "..\\")

 					for _, b := range before {
 						if !b(ctx, file) {