From 97b38d3a4884b7c3d8891750a4c752073bc3c152 Mon Sep 17 00:00:00 2001
From: Erik Dubbelboer <erik@dubbelboer.com>
Date: Mon, 27 Apr 2026 07:36:17 +0200
Subject: [PATCH] server: document SaveMultipartFile path trust requirement

---
 server.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server.go b/server.go
index c8cde14..d7439b5 100644
--- a/server.go
+++ b/server.go
@@ -1159,6 +1159,10 @@ func (ctx *RequestCtx) FormFile(key string) (*multipart.FileHeader, error) {
 var ErrMissingFile = errors.New("there is no uploaded file associated with the given key")
 
 // SaveMultipartFile saves multipart file fh under the given filename path.
+//
+// The path is used as-is and must be a server-trusted destination filename.
+// Do not pass the attacker-controlled fh.Filename directly without validating
+// it and constraining it to the intended destination directory.
 func SaveMultipartFile(fh *multipart.FileHeader, path string) (err error) {
 	var (
 		f  multipart.File