Skip to content

Commit bf44f69

Browse files
rstoyanchevcesarhernandezgt
rstoyanchev
authored and
cesarhernandezgt
committed
Update processPath for double encoding
See spring-projectsgh-33689 (cherry picked from commit fb7890d)
1 parent c3187ec commit bf44f69

File tree

4 files changed

+64
-32
lines changed

4 files changed

+64
-32
lines changed

spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -148,20 +148,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
148148
}
149149

150150
private static String normalizePath(String path) {
151-
if (path.contains("%")) {
152-
try {
153-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
151+
String result = path;
152+
if (result.contains("%")) {
153+
result = decode(result);
154+
if (result.contains("%")) {
155+
result = decode(result);
154156
}
155-
catch (Exception ex) {
156-
return "";
157-
}
158-
if (path.contains("../")) {
159-
path = StringUtils.cleanPath(path);
157+
if (result.contains("../")) {
158+
return StringUtils.cleanPath(result);
160159
}
161160
}
162161
return path;
163162
}
164163

164+
private static String decode(String path) {
165+
try {
166+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
167+
}
168+
catch (Exception ex) {
169+
return "";
170+
}
171+
}
172+
165173
private boolean isInvalidPath(String path) {
166174
if (path.contains("WEB-INF") || path.contains("META-INF")) {
167175
return true;

spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -540,20 +540,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
540540
}
541541

542542
private static String normalizePath(String path) {
543-
if (path.contains("%")) {
544-
try {
545-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
543+
String result = path;
544+
if (result.contains("%")) {
545+
result = decode(result);
546+
if (result.contains("%")) {
547+
result = decode(result);
546548
}
547-
catch (Exception ex) {
548-
return "";
549-
}
550-
if (path.contains("../")) {
551-
path = StringUtils.cleanPath(path);
549+
if (result.contains("../")) {
550+
return StringUtils.cleanPath(result);
552551
}
553552
}
554553
return path;
555554
}
556555

556+
private static String decode(String path) {
557+
try {
558+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
559+
}
560+
catch (Exception ex) {
561+
return "";
562+
}
563+
}
564+
557565
/**
558566
* Check whether the given path contains invalid escape sequences.
559567
* @param path the path to validate

spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -149,20 +149,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
149149
}
150150

151151
private static String normalizePath(String path) {
152-
if (path.contains("%")) {
153-
try {
154-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
152+
String result = path;
153+
if (result.contains("%")) {
154+
result = decode(result);
155+
if (result.contains("%")) {
156+
result = decode(result);
155157
}
156-
catch (Exception ex) {
157-
return "";
158-
}
159-
if (path.contains("../")) {
160-
path = StringUtils.cleanPath(path);
158+
if (result.contains("../")) {
159+
return StringUtils.cleanPath(result);
161160
}
162161
}
163162
return path;
164163
}
165164

165+
private static String decode(String path) {
166+
try {
167+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
168+
}
169+
catch (Exception ex) {
170+
return "";
171+
}
172+
}
173+
166174
private boolean isInvalidPath(String path) {
167175
if (path.contains("WEB-INF") || path.contains("META-INF")) {
168176
return true;

spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -694,20 +694,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
694694
}
695695

696696
private static String normalizePath(String path) {
697-
if (path.contains("%")) {
698-
try {
699-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
697+
String result = path;
698+
if (result.contains("%")) {
699+
result = decode(result);
700+
if (result.contains("%")) {
701+
result = decode(result);
700702
}
701-
catch (Exception ex) {
702-
return "";
703-
}
704-
if (path.contains("../")) {
705-
path = StringUtils.cleanPath(path);
703+
if (result.contains("../")) {
704+
return StringUtils.cleanPath(result);
706705
}
707706
}
708707
return path;
709708
}
710709

710+
private static String decode(String path) {
711+
try {
712+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
713+
}
714+
catch (Exception ex) {
715+
return "";
716+
}
717+
}
718+
711719
/**
712720
* Check whether the given path contains invalid escape sequences.
713721
* @param path the path to validate

0 commit comments

Comments
 (0)