Sanitized user-provided file names in HTTP multipart uploads

2026-03-18 05:46:49 +01:00 · 2024-02-01 23:48:27 +00:00
parent c8481fdbef
commit c8dfe10a7c
38 changed files with 83 additions and 45 deletions
--- a/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/CertSignController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.security;

+import io.github.pixee.security.Filenames;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -123,7 +124,7 @@ public class CertSignController {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        sign(pdf.getBytes(), baos, createSignature, name, location, reason);
        return WebResponseUtils.boasToWebResponse(
-                baos, pdf.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_signed.pdf");
+                baos, Filenames.toSimpleFileName(pdf.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_signed.pdf");
    }

    private static void sign(
--- a/src/main/java/stirling/software/SPDF/controller/api/security/PasswordController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/PasswordController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.security;

+import io.github.pixee.security.Filenames;
 import java.io.IOException;

 import org.apache.pdfbox.Loader;
@@ -43,7 +44,7 @@ public class PasswordController {
        document.setAllSecurityToBeRemoved(true);
        return WebResponseUtils.pdfDocToWebResponse(
                document,
-                fileInput.getOriginalFilename().replaceFirst("[.][^.]+$", "")
+                Filenames.toSimpleFileName(fileInput.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
                        + "_password_removed.pdf");
    }

@@ -88,10 +89,10 @@ public class PasswordController {
        if ("".equals(ownerPassword) && "".equals(password))
            return WebResponseUtils.pdfDocToWebResponse(
                    document,
-                    fileInput.getOriginalFilename().replaceFirst("[.][^.]+$", "")
+                    Filenames.toSimpleFileName(fileInput.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
                            + "_permissions.pdf");
        return WebResponseUtils.pdfDocToWebResponse(
                document,
-                fileInput.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_passworded.pdf");
+                Filenames.toSimpleFileName(fileInput.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_passworded.pdf");
    }
 }
--- a/src/main/java/stirling/software/SPDF/controller/api/security/RedactController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/RedactController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.security;

+import io.github.pixee.security.Filenames;
 import java.awt.Color;
 import java.awt.image.BufferedImage;
 import java.io.ByteArrayOutputStream;
@@ -104,7 +105,7 @@ public class RedactController {
        byte[] pdfContent = baos.toByteArray();
        return WebResponseUtils.bytesToWebResponse(
                pdfContent,
-                file.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_redacted.pdf");
+                Filenames.toSimpleFileName(file.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_redacted.pdf");
    }

    private void redactFoundText(
--- a/src/main/java/stirling/software/SPDF/controller/api/security/SanitizeController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/SanitizeController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.security;

+import io.github.pixee.security.Filenames;
 import java.io.IOException;

 import org.apache.pdfbox.Loader;
@@ -76,7 +77,7 @@ public class SanitizeController {

            return WebResponseUtils.pdfDocToWebResponse(
                    document,
-                    inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "")
+                    Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "")
                            + "_sanitized.pdf");
        }
    }
--- a/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java
+++ b/src/main/java/stirling/software/SPDF/controller/api/security/WatermarkController.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.security;

+import io.github.pixee.security.Filenames;
 import java.awt.Color;
 import java.awt.image.BufferedImage;
 import java.io.File;
@@ -104,7 +105,7 @@ public class WatermarkController {

        return WebResponseUtils.pdfDocToWebResponse(
                document,
-                pdfFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_watermarked.pdf");
+                Filenames.toSimpleFileName(pdfFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_watermarked.pdf");
    }

    private void addTextWatermark(