net/http: multipart form should not include directory path in filename #45789
When parsing a multipart form, the parsed filename could include directory path information (e.g. "../../foobar.txt). This is not allowed by RFC 7578 Section 4.2, which states:
This off-spec behavior makes the code easy to misuse, but does not explicitly introduce a vulnerability, so this will not be fixed in a security release.
Thanks to Sebastiaan van Stijn for reporting this issue.
The text was updated successfully, but these errors were encountered: