From 7d3a3d35cea4e184642e933679cbd35814c7d17d Mon Sep 17 00:00:00 2001
From: rstoyanchev <rossen.stoyanchev@broadcom.com>
Date: Mon, 14 Oct 2024 18:10:02 +0100
Subject: [PATCH] Update valid path checks for double encoding

See gh-33687
---
 .../resource/ResourceHandlerUtils.java        | 28 ++++++++++--------
 .../resource/ResourceHandlerUtils.java        | 29 +++++++++++--------
 2 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
index f4ff1f04ec6..2e5a1892343 100644
--- a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
+++ b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
@@ -152,24 +152,28 @@ public abstract class ResourceHandlerUtils {
 
 	private static boolean isInvalidEncodedPath(String path) {
 		if (path.contains("%")) {
-			try {
-				// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
-				String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
-				decodedPath = normalizeInputPath(decodedPath);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
+			String decodedPath = decode(path);
+			if (decodedPath.contains("%")) {
+				decodedPath = decode(decodedPath);
 			}
-			catch (IllegalArgumentException ex) {
-				// May not be possible to decode...
+			if (isInvalidPath(decodedPath)) {
+				return true;
 			}
+			decodedPath = normalizeInputPath(decodedPath);
+			return isInvalidPath(decodedPath);
 		}
 		return false;
 	}
 
+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	/**
 	 * Create a resource relative to the given {@link Resource}, also decoding
 	 * the resource path for a {@link UrlResource}.
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
index 178a1e32fad..5ec4e2ec0e4 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
@@ -157,24 +157,29 @@ public abstract class ResourceHandlerUtils {
 	 */
 	private static boolean isInvalidEncodedPath(String path) {
 		if (path.contains("%")) {
-			try {
-				// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars
-				String decodedPath = URLDecoder.decode(path, StandardCharsets.UTF_8);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
-				decodedPath = normalizeInputPath(decodedPath);
-				if (isInvalidPath(decodedPath)) {
-					return true;
-				}
+			String decodedPath = decode(path);
+			if (decodedPath.contains("%")) {
+				decodedPath = decode(decodedPath);
 			}
-			catch (IllegalArgumentException ex) {
-				// May not be possible to decode...
+			if (isInvalidPath(decodedPath)) {
+				return true;
 			}
+			decodedPath = normalizeInputPath(decodedPath);
+			return isInvalidPath(decodedPath);
 		}
 		return false;
 	}
 
+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
+
 	/**
 	 * Check whether the resource is under the given location.
 	 */