Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13662

CommonsMultipartFile.getOriginalFilename() does not strip file path properly

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.15, 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:

      Description

      Note
      I found the issue in the latest code of master branch here: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/multipart/commons/CommonsMultipartFile.java
      I assume it applies to the latest 4.2.2 version.

      getOriginalFilename() tries to strip file path from while file path name string and returns only the file name part.
      It has been coded to be adaptive - looking for Linux path separator char "/" first, if fail then looking for Windows path separator char "\".

      But this adaptive logic is buggy - if Spring is running on a Windows computer and if attacker provides a path name like "/..\..\..\malicious_directory\malicious_file" then the getOriginalFilename() method will return "..\..\..\malicious_directory\malicious_file" which is not a bare file name but contains both path and file name.

      Then if application layer code assumes it is a bare file name and use it as a bare file name, critical path traversal issue can happen.

      I think the right logic is - using File.separator to find and strip the path and get bare file name.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                juergen.hoeller Juergen Hoeller
                Reporter:
                condorlee@hotmail.com Hua Li
                Last updater:
                Challa Rao Ande
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 39 weeks, 1 day ago