Decode static resource path with UriUtils

Closes spring-projectsgh-33859
succsoft · Dec 4, 2024 · 39f0773 · 39f0773
1 parent 17b6a1e
commit 39f0773
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 27 deletions.
diff --git a/...ain/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java b/...ain/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
@@ -76,6 +76,7 @@ public Mono<Resource> apply(ServerRequest request) {
 			throw new UncheckedIOException(ex);
 		}
 	}
+
 	@Override
 	public String toString() {
 		return this.pattern + " -> " + this.location;

diff --git a/...webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java b/...webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
@@ -98,24 +98,25 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 		}
 		return (slash ? "/" : "");
 	}
-	
+
 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";

diff --git a/...vc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java b/...vc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
@@ -91,7 +91,6 @@ public Optional<Resource> apply(ServerRequest request) {
 	protected String processPath(String path) {
 		return ResourceHandlerUtils.normalizeInputPath(path);
 	}
-
 	@Override
 	public String toString() {
 		return this.pattern + " -> " + this.location;

diff --git a/...g-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java b/...g-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
@@ -30,6 +30,7 @@
 import org.springframework.util.ResourceUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.ServletContextResource;
+import org.springframework.web.util.UriUtils;
 
 /**
  * Resource handling utility methods to share common logic between
@@ -56,25 +57,34 @@ public abstract class ResourceHandlerUtils {
 	public static String normalizeInputPath(String path) {
 		path = StringUtils.replace(path, "\\", "/");
 		path = cleanDuplicateSlashes(path);
-		path =  cleanLeadingSlash(path);
+		path = cleanLeadingSlash(path);
 		return normalizePath(path);
 	}
 
 	private static String normalizePath(String path) {
-		if (path.contains("%")) {
-			try {
-				path = URLDecoder.decode(path, StandardCharsets.UTF_8);
-			}
-			catch (Exception ex) {
-				return "";
-			}
-			if (path.contains("../")) {
-				path = StringUtils.cleanPath(path);
-			}
+		String result = path;
+		result = decode(result);
+		if (result.contains("%")) {
+			result = decode(result);
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
+	private static String decode(String path) {
+		try {
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	private static String cleanDuplicateSlashes(String path) {
 		StringBuilder sb = null;
 		char prev = 0;

diff --git a/...vc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java b/...vc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
@@ -60,6 +60,7 @@
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.servlet.HandlerMapping;
 import org.springframework.web.servlet.support.WebContentGenerator;
+import org.springframework.web.util.UriUtils;
 import org.springframework.web.util.UrlPathHelper;
 
 /**
@@ -681,21 +682,22 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 
 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";