minor

kataras · Nov 3, 2023 · b12965b · b12965b
1 parent 4d13ff3
commit b12965b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/_examples/file-server/upload-files/main.go b/_examples/file-server/upload-files/main.go
@@ -49,7 +49,11 @@ func newApp() *iris.Application {
 		// it can be used to change a file's name based on the request,
 		// at this example we will showcase how to use it
 		// by prefixing the uploaded file with the current user's ip.
-		ctx.UploadFormFiles("./uploads", beforeSave)
+		_, _, err := ctx.UploadFormFiles("./uploads", beforeSave)
+		if err != nil {
+			ctx.StopWithError(iris.StatusBadRequest, err)
+			return
+		}
 	})
 
 	app.Post("/upload_manual", func(ctx iris.Context) {
@@ -96,6 +100,7 @@ func beforeSave(ctx iris.Context, file *multipart.FileHeader) bool {
 		return true // don't change the file but continue saving it.
 	}
 
-	file.Filename = ip + "-" + file.Filename
+	_ = ip
+	// file.Filename = ip + "-" + file.Filename
 	return true
 }
diff --git a/context/context.go b/context/context.go
@@ -2456,23 +2456,26 @@ func (ctx *Context) UploadFormFiles(destDirectory string, before ...func(*Contex
 					destPath := filepath.Join(destDirectory, filename)
 
 					// Get the canonical path of the destination
-					canonicalDestPath, err := filepath.EvalSymlinks(destPath)
-					if err != nil {
-						return nil, 0, err
-					}
+					// canonicalDestPath, err := filepath.EvalSymlinks(destPath)
+					// if err != nil {
+					// 	return nil, 0, fmt.Errorf("dest path: %s: eval symlinks: %w", destPath, err)
+					// }
+					// ^ No, it will try to find the file before uploaded.
 
 					// Get the canonical path of the destination directory.
-					canonicalDestDir, err := filepath.EvalSymlinks(destDirectory)
+					canonicalDestDir, err := filepath.EvalSymlinks(destDirectory) // the destDirectory should exists.
 					if err != nil {
-						return nil, 0, err
+						return nil, 0, fmt.Errorf("dest directory: %s: eval symlinks: %w", destDirectory, err)
 					}
 
 					// Check if the destination path is within the destination directory.
-					if !strings.HasPrefix(canonicalDestPath, canonicalDestDir) {
+					if !strings.HasPrefix(destPath, canonicalDestDir) {
 						// Reject the input as it is a path traversal attempt.
 						continue innerLoop
 					}
 
+					file.Filename = filename
+
 					n0, err0 := ctx.SaveFormFile(file, destPath)
 					if err0 != nil {
 						return nil, 0, err0