Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13662

CommonsMultipartFile.getOriginalFilename() does not strip file path properly


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.15, 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:


      I found the issue in the latest code of master branch here: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/multipart/commons/CommonsMultipartFile.java
      I assume it applies to the latest 4.2.2 version.

      getOriginalFilename() tries to strip file path from while file path name string and returns only the file name part.
      It has been coded to be adaptive - looking for Linux path separator char "/" first, if fail then looking for Windows path separator char "\".

      But this adaptive logic is buggy - if Spring is running on a Windows computer and if attacker provides a path name like "/..\..\..\malicious_directory\malicious_file" then the getOriginalFilename() method will return "..\..\..\malicious_directory\malicious_file" which is not a bare file name but contains both path and file name.

      Then if application layer code assumes it is a bare file name and use it as a bare file name, critical path traversal issue can happen.

      I think the right logic is - using File.separator to find and strip the path and get bare file name.


          Issue Links



              • Assignee:
                juergen.hoeller Juergen Hoeller
                condorlee@hotmail.com Hua Li
                Last updater:
                Challa Rao Ande
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created:
                  Days since last comment:
                  2 years, 13 weeks, 1 day ago