CommonsMultipartFile.getOriginalFilename() does not strip file path properly [SPR-13662] #18237
Comments
|
Juergen Hoeller commented Good catch; this should get revised. That said, please note that Juergen |
|
Hua Li commented Yes, Juergen. I totally agree with you. It is simply the file name provided from the browser / client side. Web server developers should not use that name as local file name unless they are fully aware of the security implications. While on the other hand we can also expect developers may have this kind of misuse from time to time. That's the reality, sadly. So fixing this on Spring side will likely mitigate quit a few of potential security issues in web applications that utilizing Spring framework. And thanks for the quck response - I was impressed :) |
|
Juergen Hoeller commented Resolved through always truncating at the last separator in the path, no matter which style. Juergen |
|
Challa Rao Ande commented Ubuntu(and I believe even Linux) allows "" in the filename, and if user uploads from a browser from linux having filename such as "hello\file.txt", #getOriginalFilename() will only give "file.txt". Also, do typical clients(browser clients in particular) send client filepath along with the name? If not do we need this piece of code to strip the filename? |
|
Juergen Hoeller commented Older browsers such as Opera sent path information but I'm not sure that's still the case. Also, programmatic HTTP clients may end up including some path information depending on how they build their In any case, I've raised #19180 to reconsider our behavior, in particular towards alignment between |
|
Challa Rao Ande commented Thanks. My only concern was that it misbehaves with perfectly valid file name (a file name with \ in it) in Linux. |
spring-projects-issues
added
type: bug
Hua Li opened SPR-13662 and commented
Note
I found the issue in the latest code of master branch here: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/multipart/commons/CommonsMultipartFile.java
I assume it applies to the latest 4.2.2 version.
getOriginalFilename() tries to strip file path from while file path name string and returns only the file name part.
It has been coded to be adaptive - looking for Linux path separator char "/" first, if fail then looking for Windows path separator char "".
But this adaptive logic is buggy - if Spring is running on a Windows computer and if attacker provides a path name like "/......\malicious_directory\malicious_file" then the getOriginalFilename() method will return "......\malicious_directory\malicious_file" which is not a bare file name but contains both path and file name.
Then if application layer code assumes it is a bare file name and use it as a bare file name, critical path traversal issue can happen.
I think the right logic is - using File.separator to find and strip the path and get bare file name.
Affects: 3.2.15, 4.1.8, 4.2.2
Reference URL: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/multipart/commons/CommonsMultipartFile.java
Issue Links:
Referenced from: commits 8d7d4ce, df49b11, 5d9d88c
Backported to: 4.1.9, 3.2.16
The text was updated successfully, but these errors were encountered: