root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Reinstate removal of jsessionid from lookup path 

Closes gh-25864
This commit is contained in:
Rossen Stoyanchev 2020-10-07 11:31:52 +01:00
parent ca7fb23432
commit eb11c6fa23
4 changed files with 54 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java
View File

@ -556,7 +556,8 @@ public class UrlPathHelper {
* @return the updated URI string * @return the updated URI string
*/ */
public String removeSemicolonContent(String requestUri) { public String removeSemicolonContent(String requestUri) {
return (this.removeSemicolonContent ? removeSemicolonContentInternal(requestUri) : requestUri); return (this.removeSemicolonContent ?
removeSemicolonContentInternal(requestUri) : removeJsessionid(requestUri));
} }
private String removeSemicolonContentInternal(String requestUri) { private String removeSemicolonContentInternal(String requestUri) {
@ -570,6 +571,22 @@ public class UrlPathHelper {
return requestUri; return requestUri;
} }
private String removeJsessionid(String requestUri) {
String key = ";jsessionid=";
int index = requestUri.toLowerCase().indexOf(key);
if (index == -1) {
return requestUri;
}
String start = requestUri.substring(0, index);
for (int i = key.length(); i < requestUri.length(); i++) {
char c = requestUri.charAt(i);
if (c == ';' || c == '/') {
return start + requestUri.substring(i);
}
}
return start;
}
/** /**
* Decode the given URI path variables via {@link #decodeRequestString} unless * Decode the given URI path variables via {@link #decodeRequestString} unless
* {@link #setUrlDecode} is set to {@code true} in which case it is assumed * {@link #setUrlDecode} is set to {@code true} in which case it is assumed
@ -675,7 +692,13 @@ public class UrlPathHelper {
* <li>{@code defaultEncoding=}{@link WebUtils#DEFAULT_CHARACTER_ENCODING} * <li>{@code defaultEncoding=}{@link WebUtils#DEFAULT_CHARACTER_ENCODING}
* </ul> * </ul>
*/ */
public static final UrlPathHelper rawPathInstance = new UrlPathHelper(); public static final UrlPathHelper rawPathInstance = new UrlPathHelper() {
@Override
public String removeSemicolonContent(String requestUri) {
return requestUri;
}
};
static { static {
rawPathInstance.setAlwaysUseFullPath(true); rawPathInstance.setAlwaysUseFullPath(true);

2
spring-web/src/test/java/org/springframework/web/util/UrlPathHelperTests.java
View File

@ -133,7 +133,7 @@ public class UrlPathHelperTests {
assertThat(helper.getRequestUri(request)).isEqualTo("/foo;a=b;c=d"); assertThat(helper.getRequestUri(request)).isEqualTo("/foo;a=b;c=d");
request.setRequestURI("/foo;jsessionid=c0o7fszeb1"); request.setRequestURI("/foo;jsessionid=c0o7fszeb1");
assertThat(helper.getRequestUri(request)).isEqualTo("/foo;jsessionid=c0o7fszeb1"); assertThat(helper.getRequestUri(request)).isEqualTo("/foo");
} }
@Test @Test

1
spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java
View File

@ -389,6 +389,7 @@ public class RequestResponseBodyMethodProcessorTests {
assertContentDisposition(processor, true, "/hello.json;a=b;setup.dataless", "unknown ext in path params"); assertContentDisposition(processor, true, "/hello.json;a=b;setup.dataless", "unknown ext in path params");
assertContentDisposition(processor, true, "/hello.dataless;a=b;setup.json", "unknown ext in filename"); assertContentDisposition(processor, true, "/hello.dataless;a=b;setup.json", "unknown ext in filename");
assertContentDisposition(processor, false, "/hello.json;a=b;setup.json", "safe extensions"); assertContentDisposition(processor, false, "/hello.json;a=b;setup.json", "safe extensions");
assertContentDisposition(processor, true, "/hello.json;jsessionid=foo.bar", "jsessionid shouldn't cause issue");
// encoded dot // encoded dot
assertContentDisposition(processor, true, "/hello%2Edataless;a=b;setup.json", "encoded dot in filename"); assertContentDisposition(processor, true, "/hello%2Edataless;a=b;setup.json", "encoded dot in filename");

28
spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/UriTemplateServletAnnotationControllerHandlerMethodTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -69,6 +69,28 @@ public class UriTemplateServletAnnotationControllerHandlerMethodTests extends Ab
assertThat(response.getContentAsString()).isEqualTo("test-42-7"); assertThat(response.getContentAsString()).isEqualTo("test-42-7");
} }
@Test // gh-25864
public void literalMappingWithPathParams() throws Exception {
initServletWithControllers(MultipleUriTemplateController.class);
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/data");
MockHttpServletResponse response = new MockHttpServletResponse();
getServlet().service(request, response);
assertThat(response.getStatus()).isEqualTo(200);
assertThat(response.getContentAsString()).isEqualTo("test");
request = new MockHttpServletRequest("GET", "/data;foo=bar");
response = new MockHttpServletResponse();
getServlet().service(request, response);
assertThat(response.getStatus()).isEqualTo(404);
request = new MockHttpServletRequest("GET", "/data;jsessionid=123");
response = new MockHttpServletResponse();
getServlet().service(request, response);
assertThat(response.getStatus()).isEqualTo(200);
assertThat(response.getContentAsString()).isEqualTo("test");
}
@Test @Test
public void multiple() throws Exception { public void multiple() throws Exception {
initServletWithControllers(MultipleUriTemplateController.class); initServletWithControllers(MultipleUriTemplateController.class);
@ -388,6 +410,10 @@ public class UriTemplateServletAnnotationControllerHandlerMethodTests extends Ab
writer.write("test-" + hotel + "-q" + qHotel + "-" + booking + "-" + other + "-q" + qOther); writer.write("test-" + hotel + "-q" + qHotel + "-" + booking + "-" + other + "-q" + qOther);
} }
@RequestMapping("/data")
void handleWithLiteralMapping(Writer writer) throws IOException {
writer.write("test");
}
} }
@Controller @Controller