Decode static resource path with UriUtils

Closes gh-33859
2024-11-12 10:15:57 +00:00 · 2024-11-12 10:15:57 +00:00 · e78179b96e
parent 49a63e2c37
commit e78179b96e
4 changed files with 34 additions and 28 deletions
--- a/spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
+++ b/spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
@ -149,21 +149,22 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc

 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}

 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
--- a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
+++ b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
@ -56,6 +56,7 @@ import org.springframework.web.reactive.HandlerMapping;
 import org.springframework.web.server.MethodNotAllowedException;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebHandler;
+import org.springframework.web.util.UriUtils;
 import org.springframework.web.util.pattern.PathPattern;

 /**
@ -568,21 +569,22 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {

 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}

 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
@ -150,21 +150,22 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res

 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}

 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
@ -63,6 +63,7 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.servlet.HandlerMapping;
 import org.springframework.web.servlet.support.WebContentGenerator;
+import org.springframework.web.util.UriUtils;
 import org.springframework.web.util.UrlPathHelper;

 /**
@ -727,21 +728,22 @@ public class ResourceHttpRequestHandler extends WebContentGenerator

 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}

 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";