diff options
author | Katie Hockman <katie@golang.org> | 2021-04-26 18:46:22 -0400 |
---|---|---|
committer | Katie Hockman <katie@golang.org> | 2021-05-05 18:14:49 +0000 |
commit | 784ef4c53135644d70f3476a4bd90010b9acff66 (patch) | |
tree | 3634f783ea2efc8f71781b2f8ff175a57edde8c8 /src/net | |
parent | 95dde3f0290b0df797770afc899ae977ed89833e (diff) | |
download | go-784ef4c53135644d70f3476a4bd90010b9acff66.tar.gz go-784ef4c53135644d70f3476a4bd90010b9acff66.zip |
net/http: ignore directory path when parsing multipart forms
Fixes #45789
Change-Id: Id588f5dbbecf5fbfb54e957c53903aaa900171f2
Reviewed-on: https://go-review.googlesource.com/c/go/+/313809
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Diffstat (limited to 'src/net')
-rw-r--r-- | src/net/http/request_test.go | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go index 07b3d6a1c7..952828b395 100644 --- a/src/net/http/request_test.go +++ b/src/net/http/request_test.go @@ -245,6 +245,29 @@ func TestParseMultipartForm(t *testing.T) { } } +// Issue 45789: multipart form should not include directory path in filename +func TestParseMultipartFormFilename(t *testing.T) { + postData := + `--xxx +Content-Disposition: form-data; name="file"; filename="../usr/foobar.txt/" +Content-Type: text/plain + +--xxx-- +` + req := &Request{ + Method: "POST", + Header: Header{"Content-Type": {`multipart/form-data; boundary=xxx`}}, + Body: io.NopCloser(strings.NewReader(postData)), + } + _, hdr, err := req.FormFile("file") + if err != nil { + t.Fatal(err) + } + if hdr.Filename != "foobar.txt" { + t.Errorf("expected only the last element of the path, got %q", hdr.Filename) + } +} + // Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with // the payload size and the internal leeway buffer size of 10MiB overflows, that we // correctly return an error. |