Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
file.Filename should not be trusted. There should be a sanitize function, or give a warning in docs. #1693
file, _ := c.FormFile("file") c.SaveUploadedFile(file, file.Filename)
We must not trust user input
cd ~/go/src/github.com/gin-gonic/gin/examples/upload-file/single go run main.go
Start a new terminal and upload a file (such as the
curl -X POST -F 'email@example.com; filename=../main.go' http://127.0.0.1:8080/upload
Then, you will find the uploaded file is at
I don't know if it's by design. But I think, at least, there should be a warning asking developers to sanitize the input properly.
The simplest way may be
import "path/filepath" file, _ := c.FormFile("file") filename := filepath.Base(file.Filename) c.SaveUploadedFile(file, filename)
This will restrict the upload file to current directory.