-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: multipart form should not include directory path in filename #45789
Comments
Change https://golang.org/cl/313809 mentions this issue: |
The spec states that implementations SHOULD (not MUST) strip this information (and further clean the path) as necessary. This a cautionary note against servers and mail user agents saving attachments at attacker specified locations, not a spec requirement. This breaks go-ipfs in production as we use this information to to upload entire directory trees. This is also insufficient for security purposes as it won't check for special filenames on windows (NUL, etc.). |
The spec might not require any specific cleanup but it does allow it. I believe this was the right tradeoff to provide a safe-by-default API for most applications. If you need the raw value, it's available through
Can you elaborate? Opening a Win32 reserved filename should fail, not let the attacker cause anything malicious. |
To be clear, I'm not arguing that this change should be reverted, just flagging that this is a significant change where both behaviors were reasonable.
Already done.
My understanding is that opening |
This also broke the Cloudflare Workers upload API, and was pretty hard to track down. Only users who had non-flat directory structures were affected, which unfortunately was something we didn't have test coverage for. It took quite a while to figure out what was going on and a while longer to figure out it was caused by a Go update. We'll use |
On older versions of Go, `multipart.Part.FileName()` includes the directory path information, which doesn't comply with RFC 7578. In order to accomodate the tests for older Go versions, the base name is obtained regardless.
When parsing a multipart form, the parsed filename could include directory path information (e.g. "../../foobar.txt). This is not allowed by RFC 7578 Section 4.2, which states:
This off-spec behavior makes the code easy to misuse, but does not explicitly introduce a vulnerability, so this will not be fixed in a security release.
Thanks to Sebastiaan van Stijn for reporting this issue.
The text was updated successfully, but these errors were encountered: