Sanitized user-provided file names in HTTP multipart uploads

2024-02-01 23:48:27 +00:00
parent c8481fdbef
commit c8dfe10a7c
38 changed files with 83 additions and 45 deletions
--- a/src/main/java/stirling/software/SPDF/controller/api/RotationController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/RotationController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api;

+import io.github.pixee.security.Filenames;
 import java.io.IOException;

 import org.apache.pdfbox.Loader;
@@ -49,6 +50,6 @@ public class RotationController {

        return WebResponseUtils.pdfDocToWebResponse(
                document,
-                pdfFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_rotated.pdf");
+                Filenames.toSimpleFileName(pdfFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_rotated.pdf");
    }
 }