Simplified separator check within isInvalidEncodedPath

Issue: SPR-16616
8 years ago · f046a066ec
2 changed files with 14 additions and 19 deletions
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
@ -285,13 +285,9 @@ public class PathResourceResolver extends AbstractResourceResolver {
				@@ -285,13 +285,9 @@ public class PathResourceResolver extends AbstractResourceResolver {
 			// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
 			try {
 				String decodedPath = URLDecoder.decode(resourcePath, "UTF-8");
-				int separatorIndex = decodedPath.indexOf("..") + 2;
-				if (separatorIndex > 1 && separatorIndex < decodedPath.length()) {
-					char separator = decodedPath.charAt(separatorIndex);
-					if (separator == '/' || separator == '\\') {
-						if (logger.isTraceEnabled()) {
-							logger.trace("Resolved resource path contains \"../\" after decoding: " + resourcePath);
-						}
+				if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
+					if (logger.isTraceEnabled()) {
+						logger.trace("Ignoring invalid resource path with escape sequences [" + resourcePath + "]");
 					}
 					return true;
 				}
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
@ -69,24 +69,23 @@ import org.springframework.web.util.UrlPathHelper;
				@@ -69,24 +69,23 @@ import org.springframework.web.util.UrlPathHelper;
 * according to the guidelines of Page Speed, YSlow, etc.
 *
 * <p>The {@linkplain #setLocations "locations"} property takes a list of Spring
- * {@link Resource} locations from which static resources are allowed to
- * be served by this handler. Resources could be served from a classpath location,
- * e.g. "classpath:/META-INF/public-web-resources/", allowing convenient packaging
+ * {@link Resource} locations from which static resources are allowed to be served
+ * by this handler. Resources could be served from a classpath location, e.g.
+ * "classpath:/META-INF/public-web-resources/", allowing convenient packaging
 * and serving of resources such as .js, .css, and others in jar files.
 *
 * <p>This request handler may also be configured with a
 * {@link #setResourceResolvers(List) resourcesResolver} and
 * {@link #setResourceTransformers(List) resourceTransformer} chains to support
- * arbitrary resolution and transformation of resources being served. By default a
- * {@link PathResourceResolver} simply finds resources based on the configured
- * "locations". An application can configure additional resolvers and
- * transformers such as the {@link VersionResourceResolver} which can resolve
- * and prepare URLs for resources with a version in the URL.
+ * arbitrary resolution and transformation of resources being served. By default
+ * a {@link PathResourceResolver} simply finds resources based on the configured
+ * "locations". An application can configure additional resolvers and transformers
+ * such as the {@link VersionResourceResolver} which can resolve and prepare URLs
+ * for resources with a version in the URL.
 *
- * <p>This handler also properly evaluates the {@code Last-Modified} header (if
- * present) so that a {@code 304} status code will be returned as appropriate,
- * avoiding unnecessary overhead for resources that are already cached by the
- * client.
+ * <p>This handler also properly evaluates the {@code Last-Modified} header
+ * (if present) so that a {@code 304} status code will be returned as appropriate,
+ * avoiding unnecessary overhead for resources that are already cached by the client.
 *
 * @author Keith Donald
 * @author Jeremy Grelle