You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Seems like filepath.Clean does not clean path completely. Therefore, filepath.Clean cannot be used as safe sanitizer against LFI/doubledot/directory traversal type of attacks.
The text was updated successfully, but these errors were encountered:
The documentation for Clean explains precisely what it does. The documentation does not claim that Clean is any sort of sanitizer, since it isn't one. The documentation says what it does: "Clean returns the shortest path name equivalent to path by purely lexical processing."
Therefore, filepath.Clean cannot be used as safe sanitizer against LFI/doubledot/directory traversal type of attacks.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes. Using golang:latest
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
https://play.golang.org/p/sbCquGUpnyc
What did you expect to see?
/tmp/file.txt
/tmp/file.txt
What did you see instead?
/file.txt
/tmp/file.txt
Seems like filepath.Clean does not clean path completely. Therefore, filepath.Clean cannot be used as safe sanitizer against LFI/doubledot/directory traversal type of attacks.
The text was updated successfully, but these errors were encountered: