net/http: ignore directory path when parsing multipart forms

Fixes #45789

Change-Id: Id588f5dbbecf5fbfb54e957c53903aaa900171f2
Reviewed-on: https://go-review.googlesource.com/c/go/+/313809
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

1 files changed, 11 insertions, 3 deletions

diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go
index cb8bf39338..81bf722d4e 100644
--- a/src/mime/multipart/multipart.go
+++ b/src/mime/multipart/multipart.go
@@ -20,6 +20,7 @@ import (
 	"mime"
 	"mime/quotedprintable"
 	"net/textproto"
+	"path/filepath"
 	"strings"
 )
 
@@ -67,13 +68,20 @@ func (p *Part) FormName() string {
 	return p.dispositionParams["name"]
 }
 
-// FileName returns the filename parameter of the Part's
-// Content-Disposition header.
+// FileName returns the filename parameter of the Part's Content-Disposition
+// header. If not empty, the filename is passed through filepath.Base (which is
+// platform dependent) before being returned.
 func (p *Part) FileName() string {
 	if p.dispositionParams == nil {
 		p.parseContentDisposition()
 	}
-	return p.dispositionParams["filename"]
+	filename := p.dispositionParams["filename"]
+	if filename == "" {
+		return ""
+	}
+	// RFC 7578, Section 4.2 requires that if a filename is provided, the
+	// directory path information must not be used.
+	return filepath.Base(filename)
 }
 
 func (p *Part) parseContentDisposition() {