GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update processPath for double encoding 

See gh-33689
pull/33720/head
rstoyanchev 1 year ago
parent
7c2c4d7c9a
commit
fb7890d739
4 changed files with 64 additions and 32 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
  2. 24
      spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
  3. 24
      spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
  4. 24
      spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java

24
spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
Unescape View File

@ -148,20 +148,28 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
} }
private static String normalizePath(String path) { private static String normalizePath(String path) {
if (path.contains("%")) { String result = path;
try { if (result.contains("%")) {
path = URLDecoder.decode(path, StandardCharsets.UTF_8); result = decode(result);
if (result.contains("%")) {
result = decode(result);
} }
catch (Exception ex) { if (result.contains("../")) {
return ""; return StringUtils.cleanPath(result);
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
} }
} }
return path; return path;
} }
private static String decode(String path) {
try {
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
}
private boolean isInvalidPath(String path) { private boolean isInvalidPath(String path) {
if (path.contains("WEB-INF") || path.contains("META-INF")) { if (path.contains("WEB-INF") || path.contains("META-INF")) {
return true; return true;

24
spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
Unescape View File

@ -567,20 +567,28 @@ public class ResourceWebHandler implements WebHandler, InitializingBean {
} }
private static String normalizePath(String path) { private static String normalizePath(String path) {
if (path.contains("%")) { String result = path;
try { if (result.contains("%")) {
path = URLDecoder.decode(path, StandardCharsets.UTF_8); result = decode(result);
if (result.contains("%")) {
result = decode(result);
} }
catch (Exception ex) { if (result.contains("../")) {
return ""; return StringUtils.cleanPath(result);
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
} }
} }
return path; return path;
} }
private static String decode(String path) {
try {
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
}
/** /**
* Check whether the given path contains invalid escape sequences. * Check whether the given path contains invalid escape sequences.
* @param path the path to validate * @param path the path to validate

24
spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
Unescape View File

@ -149,20 +149,28 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
} }
private static String normalizePath(String path) { private static String normalizePath(String path) {
if (path.contains("%")) { String result = path;
try { if (result.contains("%")) {
path = URLDecoder.decode(path, StandardCharsets.UTF_8); result = decode(result);
if (result.contains("%")) {
result = decode(result);
} }
catch (Exception ex) { if (result.contains("../")) {
return ""; return StringUtils.cleanPath(result);
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
} }
} }
return path; return path;
} }
private static String decode(String path) {
try {
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
}
private boolean isInvalidPath(String path) { private boolean isInvalidPath(String path) {
if (path.contains("WEB-INF") || path.contains("META-INF")) { if (path.contains("WEB-INF") || path.contains("META-INF")) {
return true; return true;

24
spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
Unescape View File

@ -726,20 +726,28 @@ public class ResourceHttpRequestHandler extends WebContentGenerator
} }
private static String normalizePath(String path) { private static String normalizePath(String path) {
if (path.contains("%")) { String result = path;
try { if (result.contains("%")) {
path = URLDecoder.decode(path, StandardCharsets.UTF_8); result = decode(result);
if (result.contains("%")) {
result = decode(result);
} }
catch (Exception ex) { if (result.contains("../")) {
return ""; return StringUtils.cleanPath(result);
}
if (path.contains("../")) {
path = StringUtils.cleanPath(path);
} }
} }
return path; return path;
} }
private static String decode(String path) {
try {
return URLDecoder.decode(path, StandardCharsets.UTF_8);
}
catch (Exception ex) {
return "";
}
}
/** /**
* Check whether the given path contains invalid escape sequences. * Check whether the given path contains invalid escape sequences.
* @param path the path to validate * @param path the path to validate

Write Preview
Loading…
Cancel
Save