root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Validate Resource type in ResourceHttpRequestHandler

This commit is contained in:
Rossen Stoyanchev 2021-01-11 20:54:27 +00:00
parent e5ab67bd71
commit fceceb480f
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
View File

@ -57,6 +57,7 @@ import org.springframework.util.StringValueResolver;
import org.springframework.web.HttpRequestHandler;
import org.springframework.web.accept.ContentNegotiationManager;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.context.support.ServletContextResource;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.servlet.HandlerMapping;
@ -445,6 +446,12 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
location = location.substring(endIndex + 1);
}
Resource resource = applicationContext.getResource(location);
if (location.equals("/") && !(resource instanceof ServletContextResource)) {
throw new IllegalStateException(
"The String-based location \"/\" should be relative to the web application root " +
"but resolved to a Resource of type: " + resource.getClass() + ". " +
"If this is intentional, please pass it as a pre-configured Resource via setLocations.");
}
this.locationsToUse.add(resource);
if (charset != null) {
if (!(resource instanceof UrlResource)) {

21
spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
View File

@ -29,6 +29,7 @@ import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.FileSystemResource;
import org.springframework.core.io.Resource;
import org.springframework.core.io.UrlResource;
import org.springframework.http.HttpMethod;
@ -38,6 +39,7 @@ import org.springframework.util.StringUtils;
import org.springframework.web.HttpRequestMethodNotSupportedException;
import org.springframework.web.accept.ContentNegotiationManager;
import org.springframework.web.accept.ContentNegotiationManagerFactoryBean;
import org.springframework.web.context.support.StaticWebApplicationContext;
import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.testfixture.servlet.MockHttpServletRequest;
import org.springframework.web.testfixture.servlet.MockHttpServletResponse;
@ -723,6 +725,25 @@ public class ResourceHttpRequestHandlerTests {
assertThat(this.response.getContentAsString()).isEqualTo("h1 { color:red; }");
}
@Test
public void servletContextRootValidation() {
StaticWebApplicationContext context = new StaticWebApplicationContext() {
@Override
public Resource getResource(String location) {
return new FileSystemResource("/");
}
};
ResourceHttpRequestHandler handler = new ResourceHttpRequestHandler();
handler.setLocationValues(Collections.singletonList("/"));
handler.setApplicationContext(context);
assertThatIllegalStateException().isThrownBy(handler::afterPropertiesSet)
.withMessage("The String-based location \"/\" should be relative to the web application root but " +
"resolved to a Resource of type: class org.springframework.core.io.FileSystemResource. " +
"If this is intentional, please pass it as a pre-configured Resource via setLocations.");
}
private long resourceLastModified(String resourceName) throws IOException {
return new ClassPathResource(resourceName, getClass()).getFile().lastModified();