MultipartFile.getOriginalFilename() documentation should warn user not to use it as destination file name #26299
Assignees
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: documentation
A documentation task
Milestone
Comments
spring-projects-issues
added
the
status: waiting-for-triage
rstoyanchev
added
in: web
rstoyanchev
added a commit
that referenced
this issue
Jan 7, 2021
rstoyanchev
added a commit
that referenced
this issue
Jan 12, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Affects: 5.3.2
The javadoc for method
org.springframework.web.multipart.MultipartFile.getOriginalFilename()should contain a big warning that the file name is client-controlled and must not be used as part of the destination file name on the local disk.An adversary can easily specify a malicious file name (cURL examples) and stripping off the directory name (as done by
CommonsMultipartFile, see also #26207) is not enough (and might be disabled). For example the file name..could cause issues as well when the code handling file uploads is supposed to replace an existing file, but in this case might actually end up deleting the parent directory. Similarly file names reserved under Windows could also cause issues.It would therefore be best to advise the user not to use the file name (not even in combination with another string) as destination file name, but instead generate a random one and store the original file name somewhere else (if necessary).
Related OWASP links (ideally also link to them from the documentation):
The text was updated successfully, but these errors were encountered: