Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: multipart form should not include directory path in filename #45789

katiehockman opened this issue Apr 26, 2021 · 1 comment


Copy link

@katiehockman katiehockman commented Apr 26, 2021

When parsing a multipart form, the parsed filename could include directory path information (e.g. "../../foobar.txt). This is not allowed by RFC 7578 Section 4.2, which states:

If a "filename" parameter is supplied, the requirements of Section 2.3 of [RFC2183] for the "receiving MUA" (i.e., the receiving Mail User Agent) apply to receivers of multipart/form-data as well: do not use the file name blindly, check and possibly change to match local file system conventions if applicable, and do not use directory path information that may be present.

This off-spec behavior makes the code easy to misuse, but does not explicitly introduce a vulnerability, so this will not be fixed in a security release.

Thanks to Sebastiaan van Stijn for reporting this issue.

@katiehockman katiehockman added this to the Go1.17 milestone Apr 26, 2021
@katiehockman katiehockman changed the title net/http: multipart form can include directory path information in filename net/http: multipart form should not include directory path in filename Apr 26, 2021
Copy link

@gopherbot gopherbot commented Apr 26, 2021

Change mentions this issue: net/http: strip directory path when parsing multipart forms

@gopherbot gopherbot closed this in 784ef4c May 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants