Added Filepath.getSanitizedFilename, deprecated getFilename

[alexdboxall]

Pull Request Checklist

• Have you read How to write the perfect pull request?
• Have you read through the contributor guidelines?
• Have you referenced any issues you're fixing using commit message keywords?
• Have you added copyright headers to new files?
• Have you checked that both Scala and Java APIs are updated?
• Have you added tests for any changed functionality?

Helpful things

Fixes

Fixes #8008

Purpose

Provides a new way of getting sanitized filepaths from a FilePart, via the getSanitizedFilename method, as discussed in #8007 and #8008. Also deprecates the old getFilename method that returns the raw path.

Background Context

In #8000, it was found that Play used a raw filepath in an insecure way. This particular case was fixed in #8007, but @gmethvin suggested a reusable method should be added for doing this, instead of just once-off fixes.

This change uses the builtin Java functionality in Path.normalize to do most of the processing, as suggested by @wsargent. It then uses getFileName to return the last part of the path.

Also checks for empty filepaths and unresolvable .. paths and throws a runtime error - there is no good way to sanitize these into a valid filepath.

Tests have also been written in SanitizedFilenameTest.java to check that it works correctly.

References

#8007 and #8008