While qrcp works on receive mode, uploader can edit the file name in HTTP request and add "../". Meanwhile, qrcp doesn't check legality of file name which lead to directory traversal.
Env: qrcp-0.8.4, Windows 10 x86_64, Ubuntu 20.04 x86_64
Poc:
credit: starryloki,lu0sf
The text was updated successfully, but these errors were encountered:
This was apparently an issue on the mime/multipart package of Go itself, which has been fixed 10 months ago, a few weeks after the latest release of qrcp.
While qrcp works on receive mode, uploader can edit the file name in HTTP request and add "../". Meanwhile, qrcp doesn't check legality of file name which lead to directory traversal.



Env: qrcp-0.8.4, Windows 10 x86_64, Ubuntu 20.04 x86_64
Poc:
credit: starryloki,lu0sf
The text was updated successfully, but these errors were encountered: