The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat".
If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Release Notes
gin-gonic/gin
### [`v1.9.1`](https://togithub.com/gin-gonic/gin/blob/HEAD/CHANGELOG.md#Gin-v191)
[Compare Source](https://togithub.com/gin-gonic/gin/compare/v1.9.0...v1.9.1)
##### BUG FIXES
- fix Request.Context() checks [#3512](https://togithub.com/gin-gonic/gin/pull/3512)
##### SECURITY
- fix lack of escaping of filename in Content-Disposition [#3556](https://togithub.com/gin-gonic/gin/pull/3556)
##### ENHANCEMENTS
- refactor: use bytes.ReplaceAll directly [#3455](https://togithub.com/gin-gonic/gin/pull/3455)
- convert strings and slices using the officially recommended way [#3344](https://togithub.com/gin-gonic/gin/pull/3344)
- improve render code coverage [#3525](https://togithub.com/gin-gonic/gin/pull/3525)
##### DOCS
- docs: changed documentation link for trusted proxies [#3575](https://togithub.com/gin-gonic/gin/pull/3575)
- chore: improve linting, testing, and GitHub Actions setup [#3583](https://togithub.com/gin-gonic/gin/pull/3583)
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.9.0->v1.9.1GitHub Vulnerability Alerts
CVE-2023-29401
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat".
If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Release Notes
gin-gonic/gin
### [`v1.9.1`](https://togithub.com/gin-gonic/gin/blob/HEAD/CHANGELOG.md#Gin-v191) [Compare Source](https://togithub.com/gin-gonic/gin/compare/v1.9.0...v1.9.1) ##### BUG FIXES - fix Request.Context() checks [#3512](https://togithub.com/gin-gonic/gin/pull/3512) ##### SECURITY - fix lack of escaping of filename in Content-Disposition [#3556](https://togithub.com/gin-gonic/gin/pull/3556) ##### ENHANCEMENTS - refactor: use bytes.ReplaceAll directly [#3455](https://togithub.com/gin-gonic/gin/pull/3455) - convert strings and slices using the officially recommended way [#3344](https://togithub.com/gin-gonic/gin/pull/3344) - improve render code coverage [#3525](https://togithub.com/gin-gonic/gin/pull/3525) ##### DOCS - docs: changed documentation link for trusted proxies [#3575](https://togithub.com/gin-gonic/gin/pull/3575) - chore: improve linting, testing, and GitHub Actions setup [#3583](https://togithub.com/gin-gonic/gin/pull/3583)Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.