Giters

gin-gonic / gin

Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.

Home Page:https://gin-gonic.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

file.Filename should not be trusted. There should be a sanitize function, or give a warning in docs.

ganlvtech opened this issue · comments

commented
  • go version: 1.11
  • operating system: Windows 10 64bit

Description

gin/examples/upload-file/single/main.go

Line 26 in cce4958

if err := c.SaveUploadedFile(file, file.Filename); err != nil { 

file, _ := c.FormFile("file")
c.SaveUploadedFile(file, file.Filename)

We must not trust user input file.Filename!

Reproduce

First, start examples/upload-file/single/main.go server.

cd ~/go/src/github.com/gin-gonic/gin/examples/upload-file/single
go run main.go

Start a new terminal and upload a file (such as the main.go itself) with cURL.

curl -X POST -F 'file=@main.go; filename=../main.go' http://127.0.0.1:8080/upload

Then, you will find the uploaded file is at ~/go/src/github.com/gin-gonic/gin/examples/upload-file/main.go. Upload a file to parent dir is really dangerous.

I don't know if it's by design. But I think, at least, there should be a warning asking developers to sanitize the input properly.

Solution

The simplest way may be

import "path/filepath"

file, _ := c.FormFile("file")
filename := filepath.Base(file.Filename)
c.SaveUploadedFile(file, filename)

This will restrict the upload file to current directory.

commented

@ganlvtech please commit pull request, thanks!

commented

#1699 merged!