net/http: multipart form should not include directory path in filename

[katiehockman]

When parsing a multipart form, the parsed filename could include directory path information (e.g. "../../foobar.txt). This is not allowed by RFC 7578 Section 4.2, which states:

If a "filename" parameter is supplied, the requirements of Section 2.3 of [RFC2183] for the "receiving MUA" (i.e., the receiving Mail User Agent) apply to receivers of multipart/form-data as well: do not use the file name blindly, check and possibly change to match local file system conventions if applicable, and do not use directory path information that may be present.

This off-spec behavior makes the code easy to misuse, but does not explicitly introduce a vulnerability, so this will not be fixed in a security release.

Thanks to Sebastiaan van Stijn for reporting this issue.

[gopherbot]

Change https://golang.org/cl/313809 mentions this issue: net/http: strip directory path when parsing multipart forms