file.Filename should not be trusted. There should be a sanitize function, or give a warning in docs.

[ganlvtech]

• go version: 1.11
• operating system: Windows 10 64bit

Description

gin/examples/upload-file/single/main.go

Line 26 in cce4958

if err := c.SaveUploadedFile(file, file.Filename); err != nil {

file, _ := c.FormFile("file")
c.SaveUploadedFile(file, file.Filename)

We must not trust user input file.Filename!

Reproduce

First, start examples/upload-file/single/main.go server.

cd ~/go/src/github.com/gin-gonic/gin/examples/upload-file/single
go run main.go

Start a new terminal and upload a file (such as the main.go itself) with cURL.

curl -X POST -F 'file=@main.go; filename=../main.go' http://127.0.0.1:8080/upload

Then, you will find the uploaded file is at ~/go/src/github.com/gin-gonic/gin/examples/upload-file/main.go. Upload a file to parent dir is really dangerous.

I don't know if it's by design. But I think, at least, there should be a warning asking developers to sanitize the input properly.

Solution

The simplest way may be

import "path/filepath"

file, _ := c.FormFile("file")
filename := filepath.Base(file.Filename)
c.SaveUploadedFile(file, filename)

This will restrict the upload file to current directory.

[thinkerou]

@ganlvtech please commit pull request, thanks!

[thinkerou]

#1699 merged!