root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Consistent logging of encoded path evaluation failure 

Issue: SPR-16616
This commit is contained in:
Juergen Hoeller 2018-03-27 17:04:59 +02:00
parent 75f70b269e
commit 98ad23bef8
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
spring-webflux/src/main/java/org/springframework/web/reactive/resource/PathResourceResolver.java
View File

@ -193,7 +193,12 @@ public class PathResourceResolver extends AbstractResourceResolver {
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
try {
String decodedPath = URLDecoder.decode(resourcePath, "UTF-8");
return (decodedPath.contains("../") || decodedPath.contains("..\\"));
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
if (logger.isTraceEnabled()) {
logger.trace("Ignoring invalid resource path with escape sequences [" + resourcePath + "]");
}
return true;
}
}
catch (UnsupportedEncodingException ex) {
// Should never happen...

7
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
View File

@ -284,7 +284,12 @@ public class PathResourceResolver extends AbstractResourceResolver {
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
try {
String decodedPath = URLDecoder.decode(resourcePath, "UTF-8");
return (decodedPath.contains("../") || decodedPath.contains("..\\"));
if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
if (logger.isTraceEnabled()) {
logger.trace("Ignoring invalid resource path with escape sequences [" + resourcePath + "]");
}
return true;
}
}
catch (UnsupportedEncodingException ex) {
// Should never happen...