Update valid path checks for double encoding

See gh-33687
1 year ago · 7d3a3d35ce
2 changed files with 33 additions and 24 deletions
--- a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
+++ b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
@ -152,24 +152,28 @@ public abstract class ResourceHandlerUtils {
				@@ -152,24 +152,28 @@ public abstract class ResourceHandlerUtils {

 	private static boolean isInvalidEncodedPath(String path) {
 		if (path.contains("%")) {
-			try {
-				// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
-				String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
-				decodedPath = normalizeInputPath(decodedPath);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
+			String decodedPath = decode(path);
+			if (decodedPath.contains("%")) {
+				decodedPath = decode(decodedPath);
 			}
-			catch (IllegalArgumentException ex) {
-				// May not be possible to decode...
+			if (isInvalidPath(decodedPath)) {
+				return true;
 			}
+			decodedPath = normalizeInputPath(decodedPath);
+			return isInvalidPath(decodedPath);
 		}
 		return false;
 	}

+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	/**
 	 * Create a resource relative to the given {@link Resource}, also decoding
 	 * the resource path for a {@link UrlResource}.
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
@ -157,24 +157,29 @@ public abstract class ResourceHandlerUtils {
				@@ -157,24 +157,29 @@ public abstract class ResourceHandlerUtils {
 	 */
 	private static boolean isInvalidEncodedPath(String path) {
 		if (path.contains("%")) {
-			try {
-				// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
-				String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
-				decodedPath = normalizeInputPath(decodedPath);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
+			String decodedPath = decode(path);
+			if (decodedPath.contains("%")) {
+				decodedPath = decode(decodedPath);
 			}
-			catch (IllegalArgumentException ex) {
-				// May not be possible to decode...
+			if (isInvalidPath(decodedPath)) {
+				return true;
 			}
+			decodedPath = normalizeInputPath(decodedPath);
+			return isInvalidPath(decodedPath);
 		}
 		return false;
 	}

+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
+
 	/**
 	 * Check whether the resource is under the given location.
 	 */