GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Do not support relative static resource paths 

Closes gh-33687
pull/33703/head
rstoyanchev 1 year ago
parent
e191c34078
commit
1a0b577bfc
4 changed files with 4 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
  2. 1
      spring-webflux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java
  3. 2
      spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
  4. 1
      spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java

2
spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
Unescape View File

@ -140,7 +140,7 @@ public abstract class ResourceHandlerUtils { @@ -140,7 +140,7 @@ public abstract class ResourceHandlerUtils {
return true;
}
}
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
if (path.contains("../")) {
if (logger.isWarnEnabled()) {
logger.warn(LogFormatUtils.formatValue(
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));

1
spring-webflux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java
Unescape View File

@ -687,6 +687,7 @@ class ResourceWebHandlerTests { @@ -687,6 +687,7 @@ class ResourceWebHandlerTests {
testResolvePathWithTraversal(method, "../testsecret/secret.txt");
testResolvePathWithTraversal(method, "test/../../testsecret/secret.txt");
testResolvePathWithTraversal(method, "/testsecret/test/../secret.txt");
testResolvePathWithTraversal(method, ":/../../testsecret/secret.txt");
location = new UrlResource(getClass().getResource("./test/"));

2
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
Unescape View File

@ -140,7 +140,7 @@ public abstract class ResourceHandlerUtils { @@ -140,7 +140,7 @@ public abstract class ResourceHandlerUtils {
return true;
}
}
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
if (path.contains("../")) {
if (logger.isWarnEnabled()) {
logger.warn(LogFormatUtils.formatValue(
"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));

1
spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
Unescape View File

@ -643,6 +643,7 @@ class ResourceHttpRequestHandlerTests { @@ -643,6 +643,7 @@ class ResourceHttpRequestHandlerTests {
testInvalidPath("../testsecret/secret.txt");
testInvalidPath("test/../../testsecret/secret.txt");
testInvalidPath(":/../../testsecret/secret.txt");
testInvalidPath("/testsecret/test/../secret.txt");
Resource location = new UrlResource(ResourceHttpRequestHandlerTests.class.getResource("./test/"));
this.handler.setLocations(List.of(location));

Write Preview
Loading…
Cancel
Save