File tree Expand file tree Collapse file tree 4 files changed +64
-32
lines changed
spring-webflux/src/main/java/org/springframework/web/reactive
spring-webmvc/src/main/java/org/springframework/web/servlet Expand file tree Collapse file tree 4 files changed +64
-32
lines changed Original file line number Diff line number Diff line change @@ -148,20 +148,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
148
148
}
149
149
150
150
private static String normalizePath (String path ) {
151
- if (path .contains ("%" )) {
152
- try {
153
- path = URLDecoder .decode (path , StandardCharsets .UTF_8 );
151
+ String result = path ;
152
+ if (result .contains ("%" )) {
153
+ result = decode (result );
154
+ if (result .contains ("%" )) {
155
+ result = decode (result );
154
156
}
155
- catch (Exception ex ) {
156
- return "" ;
157
- }
158
- if (path .contains ("../" )) {
159
- path = StringUtils .cleanPath (path );
157
+ if (result .contains ("../" )) {
158
+ return StringUtils .cleanPath (result );
160
159
}
161
160
}
162
161
return path ;
163
162
}
164
163
164
+ private static String decode (String path ) {
165
+ try {
166
+ return URLDecoder .decode (path , StandardCharsets .UTF_8 );
167
+ }
168
+ catch (Exception ex ) {
169
+ return "" ;
170
+ }
171
+ }
172
+
165
173
private boolean isInvalidPath (String path ) {
166
174
if (path .contains ("WEB-INF" ) || path .contains ("META-INF" )) {
167
175
return true ;
Original file line number Diff line number Diff line change @@ -540,20 +540,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
540
540
}
541
541
542
542
private static String normalizePath (String path ) {
543
- if (path .contains ("%" )) {
544
- try {
545
- path = URLDecoder .decode (path , StandardCharsets .UTF_8 );
543
+ String result = path ;
544
+ if (result .contains ("%" )) {
545
+ result = decode (result );
546
+ if (result .contains ("%" )) {
547
+ result = decode (result );
546
548
}
547
- catch (Exception ex ) {
548
- return "" ;
549
- }
550
- if (path .contains ("../" )) {
551
- path = StringUtils .cleanPath (path );
549
+ if (result .contains ("../" )) {
550
+ return StringUtils .cleanPath (result );
552
551
}
553
552
}
554
553
return path ;
555
554
}
556
555
556
+ private static String decode (String path ) {
557
+ try {
558
+ return URLDecoder .decode (path , StandardCharsets .UTF_8 );
559
+ }
560
+ catch (Exception ex ) {
561
+ return "" ;
562
+ }
563
+ }
564
+
557
565
/**
558
566
* Check whether the given path contains invalid escape sequences.
559
567
* @param path the path to validate
Original file line number Diff line number Diff line change @@ -149,20 +149,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
149
149
}
150
150
151
151
private static String normalizePath (String path ) {
152
- if (path .contains ("%" )) {
153
- try {
154
- path = URLDecoder .decode (path , StandardCharsets .UTF_8 );
152
+ String result = path ;
153
+ if (result .contains ("%" )) {
154
+ result = decode (result );
155
+ if (result .contains ("%" )) {
156
+ result = decode (result );
155
157
}
156
- catch (Exception ex ) {
157
- return "" ;
158
- }
159
- if (path .contains ("../" )) {
160
- path = StringUtils .cleanPath (path );
158
+ if (result .contains ("../" )) {
159
+ return StringUtils .cleanPath (result );
161
160
}
162
161
}
163
162
return path ;
164
163
}
165
164
165
+ private static String decode (String path ) {
166
+ try {
167
+ return URLDecoder .decode (path , StandardCharsets .UTF_8 );
168
+ }
169
+ catch (Exception ex ) {
170
+ return "" ;
171
+ }
172
+ }
173
+
166
174
private boolean isInvalidPath (String path ) {
167
175
if (path .contains ("WEB-INF" ) || path .contains ("META-INF" )) {
168
176
return true ;
Original file line number Diff line number Diff line change @@ -694,20 +694,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
694
694
}
695
695
696
696
private static String normalizePath (String path ) {
697
- if (path .contains ("%" )) {
698
- try {
699
- path = URLDecoder .decode (path , StandardCharsets .UTF_8 );
697
+ String result = path ;
698
+ if (result .contains ("%" )) {
699
+ result = decode (result );
700
+ if (result .contains ("%" )) {
701
+ result = decode (result );
700
702
}
701
- catch (Exception ex ) {
702
- return "" ;
703
- }
704
- if (path .contains ("../" )) {
705
- path = StringUtils .cleanPath (path );
703
+ if (result .contains ("../" )) {
704
+ return StringUtils .cleanPath (result );
706
705
}
707
706
}
708
707
return path ;
709
708
}
710
709
710
+ private static String decode (String path ) {
711
+ try {
712
+ return URLDecoder .decode (path , StandardCharsets .UTF_8 );
713
+ }
714
+ catch (Exception ex ) {
715
+ return "" ;
716
+ }
717
+ }
718
+
711
719
/**
712
720
* Check whether the given path contains invalid escape sequences.
713
721
* @param path the path to validate
You can’t perform that action at this time.
0 commit comments