root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update processPath for double encoding 

See gh-33689
This commit is contained in:
rstoyanchev 2024-10-14 18:13:43 +01:00
parent 7c2c4d7c9a
commit fb7890d739
4 changed files with 64 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
View File

@ -148,18 +148,26 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
}
private static String normalizePath(String path) {
if (path.contains("%")) {
String result = path;
if (result.contains("%")) {
result = decode(result);
if (result.contains("%")) {
result = decode(result);
}
if (result.contains("../")) {
return StringUtils.cleanPath(result);
}
}
return path;
}
private static String decode(String path) {
try {
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
}
}
return path;
}
private boolean isInvalidPath(String path) {

22
spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
View File

@ -567,18 +567,26 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {
}
private static String normalizePath(String path) {
if (path.contains("%")) {
String result = path;
if (result.contains("%")) {
result = decode(result);
if (result.contains("%")) {
result = decode(result);
}
if (result.contains("../")) {
return StringUtils.cleanPath(result);
}
}
return path;
}
private static String decode(String path) {
try {
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
}
}
return path;
}
/**

22
spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
View File

@ -149,18 +149,26 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
}
private static String normalizePath(String path) {
if (path.contains("%")) {
String result = path;
if (result.contains("%")) {
result = decode(result);
if (result.contains("%")) {
result = decode(result);
}
if (result.contains("../")) {
return StringUtils.cleanPath(result);
}
}
return path;
}
private static String decode(String path) {
try {
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
}
}
return path;
}
private boolean isInvalidPath(String path) {

22
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
View File

@ -726,18 +726,26 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
}
private static String normalizePath(String path) {
if (path.contains("%")) {
String result = path;
if (result.contains("%")) {
result = decode(result);
if (result.contains("%")) {
result = decode(result);
}
if (result.contains("../")) {
return StringUtils.cleanPath(result);
}
}
return path;
}
private static String decode(String path) {
try {
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
}
}
return path;
}
/**