Affects: 5.3.1
MultipartFile#getOriginalFilename says in the Javadoc:
This may contain path information depending on the browser used, but it typically will not with any other than Opera.
But for CommonsMultipartFile (one of the two provided implementations of the MultiPartFile interface) there is actually a config option setPreserveFilename() which controls whether the path will be stripped away or not. StandardMultipartFile doesn't do that and doesn't have the config option. But actually the path stripping is done by Spring code, not Apache Commons code, see https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/multipart/commons/CommonsMultipartFile.java#L102
I would suggest to use the path stripping code also for StandardMultipartFile, or would there be any reason not to?
Comment From: rstoyanchev
Stripping the path would not be sufficient to make the original filename completely safe to use. The recommendation is to avoid using it directly but rather to save it as extra information, if necessary.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.