diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java index e8cbd8ee50b..63baaf1baae 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java @@ -285,13 +285,9 @@ public class PathResourceResolver extends AbstractResourceResolver { // Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars... try { String decodedPath = URLDecoder.decode(resourcePath, "UTF-8"); - int separatorIndex = decodedPath.indexOf("..") + 2; - if (separatorIndex > 1 && separatorIndex < decodedPath.length()) { - char separator = decodedPath.charAt(separatorIndex); - if (separator == '/' || separator == '\\') { - if (logger.isTraceEnabled()) { - logger.trace("Resolved resource path contains \"../\" after decoding: " + resourcePath); - } + if (decodedPath.contains("../") || decodedPath.contains("..\\")) { + if (logger.isTraceEnabled()) { + logger.trace("Ignoring invalid resource path with escape sequences [" + resourcePath + "]"); } return true; } diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java index 9bd4a5f92cf..531167c1d3c 100644 --- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java +++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java @@ -69,24 +69,23 @@ import org.springframework.web.util.UrlPathHelper; * according to the guidelines of Page Speed, YSlow, etc. * *

The {@linkplain #setLocations "locations"} property takes a list of Spring - * {@link Resource} locations from which static resources are allowed to - * be served by this handler. Resources could be served from a classpath location, - * e.g. "classpath:/META-INF/public-web-resources/", allowing convenient packaging + * {@link Resource} locations from which static resources are allowed to be served + * by this handler. Resources could be served from a classpath location, e.g. + * "classpath:/META-INF/public-web-resources/", allowing convenient packaging * and serving of resources such as .js, .css, and others in jar files. * *

This request handler may also be configured with a * {@link #setResourceResolvers(List) resourcesResolver} and * {@link #setResourceTransformers(List) resourceTransformer} chains to support - * arbitrary resolution and transformation of resources being served. By default a - * {@link PathResourceResolver} simply finds resources based on the configured - * "locations". An application can configure additional resolvers and - * transformers such as the {@link VersionResourceResolver} which can resolve - * and prepare URLs for resources with a version in the URL. + * arbitrary resolution and transformation of resources being served. By default + * a {@link PathResourceResolver} simply finds resources based on the configured + * "locations". An application can configure additional resolvers and transformers + * such as the {@link VersionResourceResolver} which can resolve and prepare URLs + * for resources with a version in the URL. * - *

This handler also properly evaluates the {@code Last-Modified} header (if - * present) so that a {@code 304} status code will be returned as appropriate, - * avoiding unnecessary overhead for resources that are already cached by the - * client. + *

This handler also properly evaluates the {@code Last-Modified} header + * (if present) so that a {@code 304} status code will be returned as appropriate, + * avoiding unnecessary overhead for resources that are already cached by the client. * * @author Keith Donald * @author Jeremy Grelle