root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Simplified separator check within isInvalidEncodedPath 

Issue: SPR-16616
This commit is contained in:
Juergen Hoeller 2018-03-27 00:23:36 +02:00
parent c60cefa331
commit f59ea610df
1 changed files with 1 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
View File

@ -284,16 +284,7 @@ public class PathResourceResolver extends AbstractResourceResolver {
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars... // Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
try { try {
String decodedPath = URLDecoder.decode(resourcePath, "UTF-8"); String decodedPath = URLDecoder.decode(resourcePath, "UTF-8");
int separatorIndex = decodedPath.indexOf("..") + 2; return (decodedPath.contains("../") || decodedPath.contains("..\\"));
if (separatorIndex > 1 && separatorIndex < decodedPath.length()) {
char separator = decodedPath.charAt(separatorIndex);
if (separator == '/' || separator == '\\') {
if (logger.isTraceEnabled()) {
logger.trace("Resolved resource path contains \"../\" after decoding: " + resourcePath);
}
}
return true;
}
} }
catch (UnsupportedEncodingException ex) { catch (UnsupportedEncodingException ex) {
// Should never happen... // Should never happen...