Skip to content

Commit

Permalink
security fix
Browse files Browse the repository at this point in the history
  • Loading branch information
kataras committed Dec 23, 2021
1 parent 25ad31b commit e213dba
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 14 deletions.
2 changes: 2 additions & 0 deletions HISTORY.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ The codebase for Dependency Injection, Internationalization and localization and

## Fixes and Improvements

- Push a security fix reported by [Kirill Efimov](https://github.com/kirill89) for older go runtimes.

- New `Configuration.Timeout` and `Configuration.TimeoutMessage` fields. Use it to set HTTP timeouts. Note that your http server's (`Application.ConfigureHost`) Read/Write timeouts should be a bit higher than the `Configuration.Timeout` in order to give some time to http timeout handler to kick in and be able to send the `Configuration.TimeoutMessage` properly.

- New `apps.OnApplicationRegistered` method which listens on new Iris applications hosted under the same binary. Use it on your `init` functions to configure Iris applications by any spot in your project's files.
Expand Down
18 changes: 4 additions & 14 deletions context/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -2032,13 +2032,7 @@ func (ctx *Context) FormFiles(key string, before ...func(*Context, *multipart.Fi

innerLoop:
for _, header := range fhs[key] {
// Fix an issue that net/http has,
// an attacker can push a filename
// which could lead to override existing system files
// by ../../$header.
// Reported by Frank through security reports.
header.Filename = strings.ReplaceAll(header.Filename, "../", "")
header.Filename = strings.ReplaceAll(header.Filename, "..\\", "")
header.Filename = filepath.Base(header.Filename)

for _, b := range before {
if !b(ctx, header) {
Expand Down Expand Up @@ -2100,13 +2094,9 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
for _, files := range fhs {
innerLoop:
for _, file := range files {
// Fix an issue that net/http has,
// an attacker can push a filename
// which could lead to override existing system files
// by ../../$file.
// Reported by Frank through security reports.
file.Filename = strings.ReplaceAll(file.Filename, "../", "")
file.Filename = strings.ReplaceAll(file.Filename, "..\\", "")
// Security fix for go < 1.17.5:
// Reported by Kirill Efimov (snyk.io) through security reports.
file.Filename = filepath.Base(file.Filename)

for _, b := range before {
if !b(ctx, file) {
Expand Down

3 comments on commit e213dba

@ekovacs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kataras do you have any plans to make a release with this fix?

@ekovacs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

@kataras
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekovacs the latest release tag which contains (also) this fix is: v12.2.0-alpha9.

Please sign in to comment.