-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide safer API for getting filenames of uploaded files #8008
Labels
Milestone
Comments
There's a combination of https://stackoverflow.com/questions/33083397/filtering-upwards-path-traversal-in-java-or-scala |
Is this still an issue that needs fixing? If so, I'm happy to work on it |
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
FilePart
ofMultipartFormData
just uses the rawfilename
provided by the client. While this API is technically correct, it is very easy to mistakenly use the filename in unsafe places, such as in a path to write to a file on the system. This leaves users open to directory traversal attacks.Instead of a
filename
method that returns the filename, we could perhaps have anunsafeFilename
method and asanitizedFilename
method, and deprecate the existingfilename
method. The sanitized version could simply remove any other path components besides the actual file name, which is totally fine since the spec says thefilename
is only a suggested name.The text was updated successfully, but these errors were encountered: