From 77c8aa53ae3eb72a5efb1f398832cbc6123a86fa Mon Sep 17 00:00:00 2001 From: Brian Clozel Date: Tue, 20 Jan 2015 17:46:05 +0100 Subject: [PATCH] Allow relative paths within resource location path Prior to this change, location paths used for resource handling would not allow "non-cleaned, relative paths" such as `file://home/user/static/../static/`. When checking if the resolved resource's path starts with the location path, a mismatch would happen when comparing for example: * the location `file://home/user/static/../static/` * and the resource `file://home/user/static/resource.txt` This commit cleans the location path before comparing it to the resource path. Issue: SPR-12624 --- .../web/servlet/resource/PathResourceResolver.java | 11 ++++++----- .../servlet/resource/PathResourceResolverTests.java | 11 ++++++++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java index 1629c8fd027..475f40b3909 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletRequest; import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.Resource; import org.springframework.core.io.UrlResource; +import org.springframework.util.StringUtils; import org.springframework.web.context.support.ServletContextResource; /** @@ -164,19 +165,19 @@ public class PathResourceResolver extends AbstractResourceResolver { String locationPath; if (resource instanceof UrlResource) { resourcePath = resource.getURL().toExternalForm(); - locationPath = location.getURL().toExternalForm(); + locationPath = StringUtils.cleanPath(location.getURL().toString()); } else if (resource instanceof ClassPathResource) { resourcePath = ((ClassPathResource) resource).getPath(); - locationPath = ((ClassPathResource) location).getPath(); + locationPath = StringUtils.cleanPath(((ClassPathResource) location).getPath()); } else if (resource instanceof ServletContextResource) { resourcePath = ((ServletContextResource) resource).getPath(); - locationPath = ((ServletContextResource) location).getPath(); + locationPath = StringUtils.cleanPath(((ServletContextResource) location).getPath()); } else { resourcePath = resource.getURL().getPath(); - locationPath = location.getURL().getPath(); + locationPath = StringUtils.cleanPath(location.getURL().getPath()); } locationPath = (locationPath.endsWith("/") || locationPath.isEmpty() ? locationPath : locationPath + "/"); if (!resourcePath.startsWith(locationPath)) { diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/PathResourceResolverTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/PathResourceResolverTests.java index 9a722e24ddc..d4839e53edc 100644 --- a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/PathResourceResolverTests.java +++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/PathResourceResolverTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2014 the original author or authors. + * Copyright 2002-2015 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -108,4 +108,13 @@ public class PathResourceResolverTests { assertTrue(this.resolver.checkResource(resource, servletContextLocation)); } + // SPR-12624 + @Test + public void checkRelativeLocation() throws Exception { + String locationUrl= new UrlResource(getClass().getResource("./test/")).getURL().toExternalForm(); + Resource location = new UrlResource(locationUrl.replace("/springframework","/../org/springframework")); + + assertNotNull(this.resolver.resolveResource(null, "main.css", Arrays.asList(location), null)); + } + }