root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Do not support relative static resource paths 

Closes gh-33687
This commit is contained in:
rstoyanchev 2024-10-14 15:50:44 +01:00
parent e191c34078
commit 1a0b577bfc
4 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
View File

@ -140,7 +140,7 @@ public abstract class ResourceHandlerUtils {
return true; return true;
} }
} }
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) { if (path.contains("../")) {
if (logger.isWarnEnabled()) { if (logger.isWarnEnabled()) {
logger.warn(LogFormatUtils.formatValue( logger.warn(LogFormatUtils.formatValue(
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true)); "Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));

1
spring-webflux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java
View File

@ -687,6 +687,7 @@ class ResourceWebHandlerTests {
testResolvePathWithTraversal(method, "../testsecret/secret.txt"); testResolvePathWithTraversal(method, "../testsecret/secret.txt");
testResolvePathWithTraversal(method, "test/../../testsecret/secret.txt"); testResolvePathWithTraversal(method, "test/../../testsecret/secret.txt");
testResolvePathWithTraversal(method, "/testsecret/test/../secret.txt");
testResolvePathWithTraversal(method, ":/../../testsecret/secret.txt"); testResolvePathWithTraversal(method, ":/../../testsecret/secret.txt");
location = new UrlResource(getClass().getResource("./test/")); location = new UrlResource(getClass().getResource("./test/"));

2
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
View File

@ -140,7 +140,7 @@ public abstract class ResourceHandlerUtils {
return true; return true;
} }
} }
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) { if (path.contains("../")) {
if (logger.isWarnEnabled()) { if (logger.isWarnEnabled()) {
logger.warn(LogFormatUtils.formatValue( logger.warn(LogFormatUtils.formatValue(
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true)); "Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));

1
spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
View File

@ -643,6 +643,7 @@ class ResourceHttpRequestHandlerTests {
testInvalidPath("../testsecret/secret.txt"); testInvalidPath("../testsecret/secret.txt");
testInvalidPath("test/../../testsecret/secret.txt"); testInvalidPath("test/../../testsecret/secret.txt");
testInvalidPath(":/../../testsecret/secret.txt"); testInvalidPath(":/../../testsecret/secret.txt");
testInvalidPath("/testsecret/test/../secret.txt");
Resource location = new UrlResource(ResourceHttpRequestHandlerTests.class.getResource("./test/")); Resource location = new UrlResource(ResourceHttpRequestHandlerTests.class.getResource("./test/"));
this.handler.setLocations(List.of(location)); this.handler.setLocations(List.of(location));