You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cd~/go/src/github.com/gin-gonic/gin/examples/upload-file/single
go run main.go
Start a new terminal and upload a file (such as the main.go itself) with cURL.
curl -X POST -F '[email protected]; filename=../main.go' http://127.0.0.1:8080/upload
Then, you will find the uploaded file is at ~/go/src/github.com/gin-gonic/gin/examples/upload-file/main.go. Upload a file to parent dir is really dangerous.
I don't know if it's by design. But I think, at least, there should be a warning asking developers to sanitize the input properly.
This will restrict the upload file to current directory.
The text was updated successfully, but these errors were encountered:
ganlvtech
changed the title
file.Filename must not be trusted. There should be a sanitize function. give a warning in docs.
file.Filename should not be trusted. There should be a sanitize function, or give a warning in docs.
Dec 12, 2018
Description
gin/examples/upload-file/single/main.go
Line 26 in cce4958
We must not trust user input
file.Filename
!Reproduce
First, start
examples/upload-file/single/main.go
server.Start a new terminal and upload a file (such as the
main.go
itself) with cURL.curl -X POST -F '[email protected]; filename=../main.go' http://127.0.0.1:8080/upload
Then, you will find the uploaded file is at
~/go/src/github.com/gin-gonic/gin/examples/upload-file/main.go
. Upload a file to parent dir is really dangerous.I don't know if it's by design. But I think, at least, there should be a warning asking developers to sanitize the input properly.
Solution
The simplest way may be
This will restrict the upload file to current directory.
The text was updated successfully, but these errors were encountered: