Skip to content

Filename path is stripped for CommonsMultipartFile but not for StandardMultipartFile #26207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jhyot opened this issue Dec 3, 2020 · 2 comments
Closed

Filename path is stripped for CommonsMultipartFile but not for StandardMultipartFile #26207

jhyot opened this issue Dec 3, 2020 · 2 comments
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: declined A suggestion or change that we don't feel we should currently apply

Comments

@jhyot
Copy link

jhyot commented Dec 3, 2020

Affects: 5.3.1

MultipartFile#getOriginalFilename says in the Javadoc:

This may contain path information depending on the browser used,
but it typically will not with any other than Opera.

But for CommonsMultipartFile (one of the two provided implementations of the MultiPartFile interface) there is actually a config option setPreserveFilename() which controls whether the path will be stripped away or not. StandardMultipartFile doesn't do that and doesn't have the config option. But actually the path stripping is done by Spring code, not Apache Commons code, see https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/multipart/commons/CommonsMultipartFile.java#L102

I would suggest to use the path stripping code also for StandardMultipartFile, or would there be any reason not to?
@jhyot jhyot changed the title Strip path for CommonsMultipartFile but not for StandardMultipartFile Filename path is stripped for CommonsMultipartFile but not for StandardMultipartFile Dec 3, 2020
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Dec 3, 2020
@sbrannen sbrannen added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Dec 4, 2020
@Marcono1234 Marcono1234 mentioned this issue Dec 18, 2020
Closed
@rstoyanchev
Copy link
Contributor

Stripping the path would not be sufficient to make the original filename completely safe to use. The recommendation is to avoid using it directly but rather to save it as extra information, if necessary.

@rstoyanchev rstoyanchev added the status: waiting-for-feedback We need additional information before we can continue label Jan 12, 2021
@spring-projects-issues
Copy link
Collaborator

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added status: feedback-reminder We've sent a reminder that we need additional information before we can continue status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Jan 19, 2021
@rstoyanchev rstoyanchev added status: declined A suggestion or change that we don't feel we should currently apply and removed status: feedback-provided Feedback has been provided status: waiting-for-triage An issue we've not yet triaged or decided on labels Jan 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sbrannen @rstoyanchev @jhyot @spring-projects-issues