root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update valid path checks for double encoding 

See gh-33687
This commit is contained in:
rstoyanchev 2024-10-14 18:10:02 +01:00
parent 20cdd192d9
commit 7d3a3d35ce
2 changed files with 33 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
View File

@ -152,24 +152,28 @@ public abstract class ResourceHandlerUtils {
private static boolean isInvalidEncodedPath(String path) { private static boolean isInvalidEncodedPath(String path) {
if (path.contains("%")) { if (path.contains("%")) {
try { String decodedPath = decode(path);
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars if (decodedPath.contains("%")) {
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8); decodedPath = decode(decodedPath);
if (isInvalidPath(decodedPath)) {
return true;
}
decodedPath = normalizeInputPath(decodedPath);
if (isInvalidPath(decodedPath)) {
return true;
}
} }
catch (IllegalArgumentException ex) { if (isInvalidPath(decodedPath)) {
// May not be possible to decode... return true;
} }
decodedPath = normalizeInputPath(decodedPath);
return isInvalidPath(decodedPath);
} }
return false; return false;
} }
private static String decode(String path) {
try {
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
}
/** /**
* Create a resource relative to the given {@link Resource}, also decoding * Create a resource relative to the given {@link Resource}, also decoding
* the resource path for a {@link UrlResource}. * the resource path for a {@link UrlResource}.

29
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
View File

@ -157,24 +157,29 @@ public abstract class ResourceHandlerUtils {
*/ */
private static boolean isInvalidEncodedPath(String path) { private static boolean isInvalidEncodedPath(String path) {
if (path.contains("%")) { if (path.contains("%")) {
try { String decodedPath = decode(path);
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars if (decodedPath.contains("%")) {
String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8); decodedPath = decode(decodedPath);
if (isInvalidPath(decodedPath)) {
return true;
}
decodedPath = normalizeInputPath(decodedPath);
if (isInvalidPath(decodedPath)) {
return true;
}
} }
catch (IllegalArgumentException ex) { if (isInvalidPath(decodedPath)) {
// May not be possible to decode... return true;
} }
decodedPath = normalizeInputPath(decodedPath);
return isInvalidPath(decodedPath);
} }
return false; return false;
} }
private static String decode(String path) {
try {
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
}
/** /**
* Check whether the resource is under the given location. * Check whether the resource is under the given location.
*/ */