security fix

kataras · Dec 23, 2021 · e213dba · e213dba · ekovacs · Jan 11, 2022
1 parent 25ad31b
commit e213dba
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 14 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -28,6 +28,8 @@ The codebase for Dependency Injection, Internationalization and localization and
 
 ## Fixes and Improvements
 
+- Push a security fix reported by [Kirill Efimov](https://github.com/kirill89) for older go runtimes.
+
 - New `Configuration.Timeout` and `Configuration.TimeoutMessage` fields. Use it to set HTTP timeouts. Note that your http server's (`Application.ConfigureHost`) Read/Write timeouts should be a bit higher than the `Configuration.Timeout` in order to give some time to http timeout handler to kick in and be able to send the `Configuration.TimeoutMessage` properly.
 
 - New `apps.OnApplicationRegistered` method which listens on new Iris applications hosted under the same binary. Use it on your `init` functions to configure Iris applications by any spot in your project's files.

diff --git a/context/context.go b/context/context.go
@@ -2032,13 +2032,7 @@ func (ctx *Context) FormFiles(key string, before ...func(*Context, *multipart.Fi
 
 		innerLoop:
 			for _, header := range fhs[key] {
-				// Fix an issue that net/http has,
-				// an attacker can push a filename
-				// which could lead to override existing system files
-				// by ../../$header.
-				// Reported by Frank through security reports.
-				header.Filename = strings.ReplaceAll(header.Filename, "../", "")
-				header.Filename = strings.ReplaceAll(header.Filename, "..\\", "")
+				header.Filename = filepath.Base(header.Filename)
 
 				for _, b := range before {
 					if !b(ctx, header) {
@@ -2100,13 +2094,9 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
 			for _, files := range fhs {
 			innerLoop:
 				for _, file := range files {
-					// Fix an issue that net/http has,
-					// an attacker can push a filename
-					// which could lead to override existing system files
-					// by ../../$file.
-					// Reported by Frank through security reports.
-					file.Filename = strings.ReplaceAll(file.Filename, "../", "")
-					file.Filename = strings.ReplaceAll(file.Filename, "..\\", "")
+					// Security fix for go < 1.17.5:
+					// Reported by Kirill Efimov (snyk.io) through security reports.
+					file.Filename = filepath.Base(file.Filename)
 
 					for _, b := range before {
 						if !b(ctx, file) {