Update Javadoc of FilePart#filename

rstoyanchev · rstoyanchev · commit 138f6bfd84d0 · 2021-01-07T11:26:00.000Z
See gh-26299
diff --git a/spring-web/src/main/java/org/springframework/http/codec/multipart/FilePart.java b/spring-web/src/main/java/org/springframework/http/codec/multipart/FilePart.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,6 +33,14 @@ public interface FilePart extends Part {
 
 	/**
 	 * Return the original filename in the client's filesystem.
+	 * <p><strong>Note:</strong> Please keep in mind this filename is supplied
+	 * by the client and should not be used blindly. In addition to not using
+	 * the directory portion, the file name could also contain characters such
+	 * as ".." and others that can be used maliciously.
+	 * @return the original filename, or the empty String if no file has been chosen
+	 * in the multipart form, or {@code null} if not defined or not available
+	 * @see <a href="https://tools.ietf.org/html/rfc7578#section-4.2">RFC 7578, Section 4.2</a>
+	 * @see <a href="https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload">Unrestricted File Upload</a>
 	 */
 	String filename();
 
diff --git a/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java b/spring-web/src/main/java/org/springframework/web/multipart/MultipartFile.java
@@ -55,13 +55,13 @@ public interface MultipartFile extends InputStreamSource {
 	 * but it typically will not with any other than Opera.
 	 * <p><strong>Note:</strong> Please keep in mind this filename is supplied
 	 * by the client and should not be used blindly. In addition to not using
-	 * the directory portion, the file name could also contain characters * such
+	 * the directory portion, the file name could also contain characters such
 	 * as ".." and others that can be used maliciously.
 	 * @return the original filename, or the empty String if no file has been chosen
 	 * in the multipart form, or {@code null} if not defined or not available
 	 * @see org.apache.commons.fileupload.FileItem#getName()
 	 * @see org.springframework.web.multipart.commons.CommonsMultipartFile#setPreserveFilename
-	 * @see <a href="https://tools.ietf.org/html/rfc7578#section-4.2">RFC 7578, Section 3.4</a>
+	 * @see <a href="https://tools.ietf.org/html/rfc7578#section-4.2">RFC 7578, Section 4.2</a>
 	 * @see <a href="https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload">Unrestricted File Upload</a>
 	 */
 	@Nullable
