Allow relative paths within resource location path

Prior to this change, location paths used for resource handling would not allow "non-cleaned, relative paths" such as `file://home/user/static/../static/`. When checking if the resolved resource's path starts with the location path, a mismatch would happen when comparing for example: * the location `file://home/user/static/../static/` * and the resource `file://home/user/static/resource.txt` This commit cleans the location path before comparing it to the resource path. Issue: SPR-12624
11 years ago · 77c8aa53ae
2 changed files with 16 additions and 6 deletions
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletRequest;
				@@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.UrlResource;
+import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.ServletContextResource;

 /**
@ -164,19 +165,19 @@ public class PathResourceResolver extends AbstractResourceResolver {
				@@ -164,19 +165,19 @@ public class PathResourceResolver extends AbstractResourceResolver {
 		String locationPath;
 		if (resource instanceof UrlResource) {
 			resourcePath = resource.getURL().toExternalForm();
-			locationPath = location.getURL().toExternalForm();
+			locationPath = StringUtils.cleanPath(location.getURL().toString());
 		}
 		else if (resource instanceof ClassPathResource) {
 			resourcePath = ((ClassPathResource) resource).getPath();
-			locationPath = ((ClassPathResource) location).getPath();
+			locationPath = StringUtils.cleanPath(((ClassPathResource) location).getPath());
 		}
 		else if (resource instanceof ServletContextResource) {
 			resourcePath = ((ServletContextResource) resource).getPath();
-			locationPath = ((ServletContextResource) location).getPath();
+			locationPath = StringUtils.cleanPath(((ServletContextResource) location).getPath());
 		}
 		else {
 			resourcePath = resource.getURL().getPath();
-			locationPath = location.getURL().getPath();
+			locationPath = StringUtils.cleanPath(location.getURL().getPath());
 		}
 		locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/");
 		if (!resourcePath.startsWith(locationPath)) {
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/PathResourceResolverTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/PathResourceResolverTests.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -108,4 +108,13 @@ public class PathResourceResolverTests {
				@@ -108,4 +108,13 @@ public class PathResourceResolverTests {
 		assertTrue(this.resolver.checkResource(resource, servletContextLocation));
 	}

+	// SPR-12624
+	@Test
+	public void checkRelativeLocation() throws Exception {
+		String locationUrl= new UrlResource(getClass().getResource("./test/")).getURL().toExternalForm();
+		Resource location = new UrlResource(locationUrl.replace("/springframework","/../org/springframework"));
+
+		assertNotNull(this.resolver.resolveResource(null, "main.css", Arrays.asList(location), null));
+	}
+
 }