From cf8c36adf34e4faacf69415c6e04e8f418da2074 Mon Sep 17 00:00:00 2001 From: Arjen Poutsma Date: Thu, 23 Jul 2020 17:43:20 +0200 Subject: [PATCH] Javadoc Add Javadoc note explaining that StringUtils.cleanPath should not be depended on in security context. --- .../src/main/java/org/springframework/util/StringUtils.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spring-core/src/main/java/org/springframework/util/StringUtils.java b/spring-core/src/main/java/org/springframework/util/StringUtils.java index 5eb623f94a..7cf12a6925 100644 --- a/spring-core/src/main/java/org/springframework/util/StringUtils.java +++ b/spring-core/src/main/java/org/springframework/util/StringUtils.java @@ -645,6 +645,9 @@ public abstract class StringUtils { * inner simple dots. *

The result is convenient for path comparison. For other uses, * notice that Windows separators ("\") are replaced by simple slashes. + *

NOTE that {@code cleanPath} should not be depended + * upon in a security context. Other mechanisms should be used to prevent + * path-traversal issues. * @param path the original path * @return the normalized path */