From fb040479eba85b49ceba9b1db60478037f32c1f0 Mon Sep 17 00:00:00 2001 From: Rossen Stoyanchev Date: Wed, 6 Jan 2021 21:40:54 +0000 Subject: [PATCH] Update Javadoc of MultipartFile#getOriginalFilename Closes gh-26299 --- .../org/springframework/web/multipart/MultipartFile.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java b/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java index f5deb9ecffb..fa23582d283 100644 --- a/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java +++ b/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,10 +53,16 @@ public interface MultipartFile extends InputStreamSource { * Return the original filename in the client's filesystem. *

This may contain path information depending on the browser used, * but it typically will not with any other than Opera. + *

Note: Please keep in mind this filename is supplied + * by the client and should not be used blindly. In addition to not using + * the directory portion, the file name could also contain characters * such + * as ".." and others that can be used maliciously. * @return the original filename, or the empty String if no file has been chosen * in the multipart form, or {@code null} if not defined or not available * @see org.apache.commons.fileupload.FileItem#getName() * @see org.springframework.web.multipart.commons.CommonsMultipartFile#setPreserveFilename + * @see RFC 7578, Section 3.4 + * @see Unrestricted File Upload */ @Nullable String getOriginalFilename();