Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

affected/package: http #51656

Closed
motaz opened this issue Mar 14, 2022 · 6 comments
Closed

affected/package: http #51656

motaz opened this issue Mar 14, 2022 · 6 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@motaz
Copy link

motaz commented Mar 14, 2022

What is the URL of the page with the issue?

What is your user agent?

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0

Screenshot

What did you do?

Uploading multi-part form: when uploading directory, directory name does not appear in uploaded file name, for example: templates/index.html will receive uploaded file as index.html

What did you expect to see?

Receiving directory name with file name: templates/index.html

What did you see instead?

index.html

this issue has started on version 1.17, Go version 1.16.5 were working fine

@seankhliao
Copy link
Member

please show code and steps to reproduce the issue

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Mar 14, 2022
@motaz
Copy link
Author

motaz commented Mar 14, 2022

After running below code, select directory to upload, in version 1.16 you will send directory name with files, but in 1.17 only file names will be get:

folderbug.zip

@seankhliao
Copy link
Member

This is an intentional security fix #45789

Closing as working as intended

@motaz
Copy link
Author

motaz commented Mar 14, 2022

I was relying on this feature to upload templates, and static folders for Go Web applications in my GoCat project
https://github.com/motaz/gocat
Now I should to remove uploading directory section :(

@seankhliao
Copy link
Member

as mentioned in the linked issue, the full path is still available via the file headers

@motaz
Copy link
Author

motaz commented Mar 15, 2022

Yes I found it in Content-Disposition header, thanks
Full path from client PC is not required, only selected directory, for that reason I didn't understand where is the security issue here

@golang golang locked and limited conversation to collaborators Mar 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Development

No branches or pull requests

3 participants