Decode static resource path with UriUtils
Closes gh-33859
This commit is contained in:
parent
49a63e2c37
commit
e78179b96e
|
@ -149,21 +149,22 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
|
||||||
|
|
||||||
private static String normalizePath(String path) {
|
private static String normalizePath(String path) {
|
||||||
String result = path;
|
String result = path;
|
||||||
if (result.contains("%")) {
|
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
if (result.contains("%")) {
|
if (result.contains("%")) {
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
}
|
}
|
||||||
|
if (!StringUtils.hasText(result)) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
if (result.contains("../")) {
|
if (result.contains("../")) {
|
||||||
return StringUtils.cleanPath(result);
|
return StringUtils.cleanPath(result);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String decode(String path) {
|
private static String decode(String path) {
|
||||||
try {
|
try {
|
||||||
return URLDecoder.decode(path, StandardCharsets.UTF_8);
|
return UriUtils.decode(path, StandardCharsets.UTF_8);
|
||||||
}
|
}
|
||||||
catch (Exception ex) {
|
catch (Exception ex) {
|
||||||
return "";
|
return "";
|
||||||
|
|
|
@ -56,6 +56,7 @@ import org.springframework.web.reactive.HandlerMapping;
|
||||||
import org.springframework.web.server.MethodNotAllowedException;
|
import org.springframework.web.server.MethodNotAllowedException;
|
||||||
import org.springframework.web.server.ServerWebExchange;
|
import org.springframework.web.server.ServerWebExchange;
|
||||||
import org.springframework.web.server.WebHandler;
|
import org.springframework.web.server.WebHandler;
|
||||||
|
import org.springframework.web.util.UriUtils;
|
||||||
import org.springframework.web.util.pattern.PathPattern;
|
import org.springframework.web.util.pattern.PathPattern;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -568,21 +569,22 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {
|
||||||
|
|
||||||
private static String normalizePath(String path) {
|
private static String normalizePath(String path) {
|
||||||
String result = path;
|
String result = path;
|
||||||
if (result.contains("%")) {
|
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
if (result.contains("%")) {
|
if (result.contains("%")) {
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
}
|
}
|
||||||
|
if (!StringUtils.hasText(result)) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
if (result.contains("../")) {
|
if (result.contains("../")) {
|
||||||
return StringUtils.cleanPath(result);
|
return StringUtils.cleanPath(result);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String decode(String path) {
|
private static String decode(String path) {
|
||||||
try {
|
try {
|
||||||
return URLDecoder.decode(path, StandardCharsets.UTF_8);
|
return UriUtils.decode(path, StandardCharsets.UTF_8);
|
||||||
}
|
}
|
||||||
catch (Exception ex) {
|
catch (Exception ex) {
|
||||||
return "";
|
return "";
|
||||||
|
|
|
@ -150,21 +150,22 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||||
|
|
||||||
private static String normalizePath(String path) {
|
private static String normalizePath(String path) {
|
||||||
String result = path;
|
String result = path;
|
||||||
if (result.contains("%")) {
|
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
if (result.contains("%")) {
|
if (result.contains("%")) {
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
}
|
}
|
||||||
|
if (!StringUtils.hasText(result)) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
if (result.contains("../")) {
|
if (result.contains("../")) {
|
||||||
return StringUtils.cleanPath(result);
|
return StringUtils.cleanPath(result);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String decode(String path) {
|
private static String decode(String path) {
|
||||||
try {
|
try {
|
||||||
return URLDecoder.decode(path, StandardCharsets.UTF_8);
|
return UriUtils.decode(path, StandardCharsets.UTF_8);
|
||||||
}
|
}
|
||||||
catch (Exception ex) {
|
catch (Exception ex) {
|
||||||
return "";
|
return "";
|
||||||
|
|
|
@ -63,6 +63,7 @@ import org.springframework.web.cors.CorsConfiguration;
|
||||||
import org.springframework.web.cors.CorsConfigurationSource;
|
import org.springframework.web.cors.CorsConfigurationSource;
|
||||||
import org.springframework.web.servlet.HandlerMapping;
|
import org.springframework.web.servlet.HandlerMapping;
|
||||||
import org.springframework.web.servlet.support.WebContentGenerator;
|
import org.springframework.web.servlet.support.WebContentGenerator;
|
||||||
|
import org.springframework.web.util.UriUtils;
|
||||||
import org.springframework.web.util.UrlPathHelper;
|
import org.springframework.web.util.UrlPathHelper;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -727,21 +728,22 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
|
||||||
|
|
||||||
private static String normalizePath(String path) {
|
private static String normalizePath(String path) {
|
||||||
String result = path;
|
String result = path;
|
||||||
if (result.contains("%")) {
|
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
if (result.contains("%")) {
|
if (result.contains("%")) {
|
||||||
result = decode(result);
|
result = decode(result);
|
||||||
}
|
}
|
||||||
|
if (!StringUtils.hasText(result)) {
|
||||||
|
return result;
|
||||||
|
}
|
||||||
if (result.contains("../")) {
|
if (result.contains("../")) {
|
||||||
return StringUtils.cleanPath(result);
|
return StringUtils.cleanPath(result);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String decode(String path) {
|
private static String decode(String path) {
|
||||||
try {
|
try {
|
||||||
return URLDecoder.decode(path, StandardCharsets.UTF_8);
|
return UriUtils.decode(path, StandardCharsets.UTF_8);
|
||||||
}
|
}
|
||||||
catch (Exception ex) {
|
catch (Exception ex) {
|
||||||
return "";
|
return "";
|
||||||
|
|
Loading…
Reference in New Issue