Affects: 5.3.2
The javadoc for method org.springframework.web.multipart.MultipartFile.getOriginalFilename() should contain a big warning that the file name is client-controlled and must not be used as part of the destination file name on the local disk.
An adversary can easily specify a malicious file name (cURL examples) and stripping off the directory name (as done by CommonsMultipartFile, see also #26207) is not enough (and might be disabled). For example the file name .. could cause issues as well when the code handling file uploads is supposed to replace an existing file, but in this case might actually end up deleting the parent directory. Similarly file names reserved under Windows could also cause issues.
It would therefore be best to advise the user not to use the file name (not even in combination with another string) as destination file name, but instead generate a random one and store the original file name somewhere else (if necessary).
Related OWASP links (ideally also link to them from the documentation): - File Upload Cheat Sheet - Unrestricted File Upload Vulnerability