(incoherency.co.uk)

129 points surprisetalk | 1 comments | 30 Jun 25 12:57 UTC | HN request time: 0.207s | source

1. naruhodo ◴[04 Jul 25 03:19 UTC] No.44460895[source]▶

    files := r.MultipartForm.File["upload"]
    for _, file := range files {
        src, err := file.Open()
        filename := fmt.Sprintf("%d%s", imgNum, filepath.Ext(file.Filename))
        dst, err := os.Create(ORIGINAL_DIR + "/" + filename)
        _, err = io.Copy(dst, src)

Hmmm... can an attacker upload a file named "../../../etc/profile.d/script.sh" or similar ideas, i.e. path traversal?

↑

The story of Max, a real programmer