root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Decode static resource path with UriUtils 

Closes gh-33859
This commit is contained in:
rstoyanchev 2024-11-12 10:15:57 +00:00
parent 49a63e2c37
commit e78179b96e
4 changed files with 34 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
View File

@ -149,21 +149,22 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
private static String normalizePath(String path) { private static String normalizePath(String path) {
String result = path; String result = path;
result = decode(result);
if (result.contains("%")) { if (result.contains("%")) {
result = decode(result); result = decode(result);
if (result.contains("%")) { }
result = decode(result); if (!StringUtils.hasText(result)) {
} return result;
if (result.contains("../")) { }
return StringUtils.cleanPath(result); if (result.contains("../")) {
} return StringUtils.cleanPath(result);
} }
return path; return path;
} }
private static String decode(String path) { private static String decode(String path) {
try { try {
return URLDecoder.decode(path, StandardCharsets.UTF_8); return UriUtils.decode(path, StandardCharsets.UTF_8);
} }
catch (Exception ex) { catch (Exception ex) {
return ""; return "";

16
spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
View File

@ -56,6 +56,7 @@ import org.springframework.web.reactive.HandlerMapping;
import org.springframework.web.server.MethodNotAllowedException; import org.springframework.web.server.MethodNotAllowedException;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebHandler; import org.springframework.web.server.WebHandler;
import org.springframework.web.util.UriUtils;
import org.springframework.web.util.pattern.PathPattern; import org.springframework.web.util.pattern.PathPattern;
/** /**
@ -568,21 +569,22 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {
private static String normalizePath(String path) { private static String normalizePath(String path) {
String result = path; String result = path;
result = decode(result);
if (result.contains("%")) { if (result.contains("%")) {
result = decode(result); result = decode(result);
if (result.contains("%")) { }
result = decode(result); if (!StringUtils.hasText(result)) {
} return result;
if (result.contains("../")) { }
return StringUtils.cleanPath(result); if (result.contains("../")) {
} return StringUtils.cleanPath(result);
} }
return path; return path;
} }
private static String decode(String path) { private static String decode(String path) {
try { try {
return URLDecoder.decode(path, StandardCharsets.UTF_8); return UriUtils.decode(path, StandardCharsets.UTF_8);
} }
catch (Exception ex) { catch (Exception ex) {
return ""; return "";

15
spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
View File

@ -150,21 +150,22 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
private static String normalizePath(String path) { private static String normalizePath(String path) {
String result = path; String result = path;
result = decode(result);
if (result.contains("%")) { if (result.contains("%")) {
result = decode(result); result = decode(result);
if (result.contains("%")) { }
result = decode(result); if (!StringUtils.hasText(result)) {
} return result;
if (result.contains("../")) { }
return StringUtils.cleanPath(result); if (result.contains("../")) {
} return StringUtils.cleanPath(result);
} }
return path; return path;
} }
private static String decode(String path) { private static String decode(String path) {
try { try {
return URLDecoder.decode(path, StandardCharsets.UTF_8); return UriUtils.decode(path, StandardCharsets.UTF_8);
} }
catch (Exception ex) { catch (Exception ex) {
return ""; return "";

16
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
View File

@ -63,6 +63,7 @@ import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.servlet.HandlerMapping; import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.servlet.support.WebContentGenerator; import org.springframework.web.servlet.support.WebContentGenerator;
import org.springframework.web.util.UriUtils;
import org.springframework.web.util.UrlPathHelper; import org.springframework.web.util.UrlPathHelper;
/** /**
@ -727,21 +728,22 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
private static String normalizePath(String path) { private static String normalizePath(String path) {
String result = path; String result = path;
result = decode(result);
if (result.contains("%")) { if (result.contains("%")) {
result = decode(result); result = decode(result);
if (result.contains("%")) { }
result = decode(result); if (!StringUtils.hasText(result)) {
} return result;
if (result.contains("../")) { }
return StringUtils.cleanPath(result); if (result.contains("../")) {
} return StringUtils.cleanPath(result);
} }
return path; return path;
} }
private static String decode(String path) { private static String decode(String path) {
try { try {
return URLDecoder.decode(path, StandardCharsets.UTF_8); return UriUtils.decode(path, StandardCharsets.UTF_8);
} }
catch (Exception ex) { catch (Exception ex) {
return ""; return "";