Fix #1693: file.Filename should not be trusted (#1699)

This commit is contained in:
Ganlv 2018-12-17 08:13:07 +08:00 committed by thinkerou
parent f67d7a90c4
commit 1542eff27f
3 changed files with 10 additions and 2 deletions

View File

@ -364,6 +364,10 @@ ids: map[b:hello a:1234], names: map[second:tianou first:thinkerou]
References issue [#774](https://github.com/gin-gonic/gin/issues/774) and detail [example code](examples/upload-file/single).
`file.Filename` **SHOULD NOT** be trusted. See [`Content-Disposition` on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition#Directives) and [#1693](https://github.com/gin-gonic/gin/issues/1693)
> The filename is always optional and must not be used blindly by the application: path information should be stripped, and conversion to the server file system rules should be done.
```go
func main() {
router := gin.Default()

View File

@ -3,6 +3,7 @@ package main
import (
"fmt"
"net/http"
"path/filepath"
"github.com/gin-gonic/gin"
)
@ -25,7 +26,8 @@ func main() {
files := form.File["files"]
for _, file := range files {
if err := c.SaveUploadedFile(file, file.Filename); err != nil {
filename := filepath.Base(file.Filename)
if err := c.SaveUploadedFile(file, filename); err != nil {
c.String(http.StatusBadRequest, fmt.Sprintf("upload file err: %s", err.Error()))
return
}

View File

@ -3,6 +3,7 @@ package main
import (
"fmt"
"net/http"
"path/filepath"
"github.com/gin-gonic/gin"
)
@ -23,7 +24,8 @@ func main() {
return
}
if err := c.SaveUploadedFile(file, file.Filename); err != nil {
filename := filepath.Base(file.Filename)
if err := c.SaveUploadedFile(file, filename); err != nil {
c.String(http.StatusBadRequest, fmt.Sprintf("upload file err: %s", err.Error()))
return
}