Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bugfix] gin web framework does not properly sanitize filename parameter of Context.FileAttachment function #1620

Merged
merged 2 commits into from
May 14, 2024
Merged

[Bugfix] gin web framework does not properly sanitize filename parameter of Context.FileAttachment function #1620

merged 2 commits into from
May 14, 2024

Conversation

sufatmawati
Copy link
Contributor

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

@sufatmawati
[Bugfix] gin web framework does not properly sanitize filename parame…
adfa292 
…ter of `Context.FileAttachment` function

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat".

If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
@sufatmawati sufatmawati requested a review from a team as a code owner May 13, 2024 15:49
@sufatmawati sufatmawati mentioned this pull request May 13, 2024
Closed
@dmathieu
Copy link
Member

Thank you Suchi.
Note that the library is not impacted by this at all.
This PR upgrades gin (which should have happened within a few days from dependabot).

@dmathieu dmathieu linked an issue May 14, 2024 that may be closed by this pull request
lack of escaping of filename in content-disposition FileAttachment() is vulnerable to Reflect File Download #1621
Closed
dmathieu
dmathieu previously approved these changes May 14, 2024
View reviewed changes
@dmathieu
Copy link
Member

run docs-build

@dmathieu dmathieu enabled auto-merge (squash) May 14, 2024 07:04
@dmathieu
Copy link
Member

run docs-build

@dmathieu dmathieu disabled auto-merge May 14, 2024 07:59
@dmathieu dmathieu enabled auto-merge (squash) May 14, 2024 07:59
@dmathieu dmathieu merged commit c0d807d into elastic:main May 14, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kruskall kruskall kruskall approved these changes

@dmathieu dmathieu dmathieu approved these changes

Assignees
No one assigned
Labels
agent-go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

lack of escaping of filename in content-disposition FileAttachment() is vulnerable to Reflect File Download
3 participants
@sufatmawati @dmathieu @kruskall