Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

net/http: ignore directory path when parsing multipart forms

Browse source 
Fixes #45789

Change-Id: Id588f5dbbecf5fbfb54e957c53903aaa900171f2
Reviewed-on: https://go-review.googlesource.com/c/go/+/313809
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Katie Hockman 2021-04-26 18:46:22 -04:00
parent 95dde3f029
commit 784ef4c531
2 changed files with 34 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/mime/multipart/multipart.go
View file

@ -20,6 +20,7 @@ import (
"mime" "mime"
"mime/quotedprintable" "mime/quotedprintable"
"net/textproto" "net/textproto"
"path/filepath"
"strings" "strings"
) )
@ -67,13 +68,20 @@ func (p *Part) FormName() string {
return p.dispositionParams["name"] return p.dispositionParams["name"]
} }
// FileName returns the filename parameter of the Part's // FileName returns the filename parameter of the Part's Content-Disposition
// Content-Disposition header. // header. If not empty, the filename is passed through filepath.Base (which is
// platform dependent) before being returned.
func (p *Part) FileName() string { func (p *Part) FileName() string {
if p.dispositionParams == nil { if p.dispositionParams == nil {
p.parseContentDisposition() p.parseContentDisposition()
} }
return p.dispositionParams["filename"] filename := p.dispositionParams["filename"]
if filename == "" {
return ""
}
// RFC 7578, Section 4.2 requires that if a filename is provided, the
// directory path information must not be used.
return filepath.Base(filename)
} }
func (p *Part) parseContentDisposition() { func (p *Part) parseContentDisposition() {

23
src/net/http/request_test.go
View file

@ -245,6 +245,29 @@ func TestParseMultipartForm(t *testing.T) {
} }
} }
// Issue 45789: multipart form should not include directory path in filename
func TestParseMultipartFormFilename(t *testing.T) {
postData :=
`--xxx
Content-Disposition: form-data; name="file"; filename="../usr/foobar.txt/"
Content-Type: text/plain
--xxx--
`
req := &Request{
Method: "POST",
Header: Header{"Content-Type": {`multipart/form-data; boundary=xxx`}},
Body: io.NopCloser(strings.NewReader(postData)),
}
_, hdr, err := req.FormFile("file")
if err != nil {
t.Fatal(err)
}
if hdr.Filename != "foobar.txt" {
t.Errorf("expected only the last element of the path, got %q", hdr.Filename)
}
}
// Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with // Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with
// the payload size and the internal leeway buffer size of 10MiB overflows, that we // the payload size and the internal leeway buffer size of 10MiB overflows, that we
// correctly return an error. // correctly return an error.