Skip to content

io/ioutil: reject path separators in TempDir, TempFile pattern #33920

New issue
New issue
Closed
Closed
io/ioutil: reject path separators in TempDir, TempFile pattern#33920
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.ProposalProposal-AcceptedSecurity
Milestone
Go1.15
@snyff

Description

@snyff
snyff
opened on Aug 28, 2019

In

go/src/io/ioutil/tempfile.go

Line 64 in f882d89

name := filepath.Join(dir, prefix+nextRandom()+suffix)
The prefix and suffix extracted from the variable pattern are used in filepath.Join. Since there is no filtering in place, this could lead to directory traversal vulnerabilities.

For example, the following value for pattern can create an unexpected behaviour:

ioutil.TempFile("/tmp", path.Base("../../somewhere/else.*.suffix"))

A less-surprising behaviour would be to call path.Base:

name := filepath.Join(dir, path.Base(prefix+nextRandom()+suffix))

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.ProposalProposal-AcceptedSecurity

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions