Skip to content

Commit cbe2f36

Browse files
rstoyanchevrstoyanchev
committed
Decode static resource path with UriUtils
See gh-33859
1 parent 9dabfdf commit cbe2f36

File tree

2 files changed

+25
-24
lines changed

2 files changed

+25
-24
lines changed

spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java

+12-12
Original file line numberDiff line numberDiff line change
@@ -196,23 +196,23 @@ public static boolean isInvalidPath(String path) {
196196
}
197197

198198
private static boolean isInvalidEncodedPath(String path) {
199-
if (path.contains("%")) {
200-
String decodedPath = decode(path);
201-
if (decodedPath.contains("%")) {
202-
decodedPath = decode(decodedPath);
203-
}
204-
if (isInvalidPath(decodedPath)) {
205-
return true;
206-
}
207-
decodedPath = normalizeInputPath(decodedPath);
208-
return isInvalidPath(decodedPath);
199+
String decodedPath = decode(path);
200+
if (decodedPath.contains("%")) {
201+
decodedPath = decode(decodedPath);
209202
}
210-
return false;
203+
if (!StringUtils.hasText(decodedPath)) {
204+
return true;
205+
}
206+
if (isInvalidPath(decodedPath)) {
207+
return true;
208+
}
209+
decodedPath = normalizeInputPath(decodedPath);
210+
return isInvalidPath(decodedPath);
211211
}
212212

213213
private static String decode(String path) {
214214
try {
215-
return URLDecoder.decode(path, StandardCharsets.UTF_8);
215+
return UriUtils.decode(path, StandardCharsets.UTF_8);
216216
}
217217
catch (Exception ex) {
218218
return "";

spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java

+13-12
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
import org.springframework.util.ResourceUtils;
3333
import org.springframework.util.StringUtils;
3434
import org.springframework.web.context.support.ServletContextResource;
35+
import org.springframework.web.util.UriUtils;
3536

3637
/**
3738
* Resource handling utility methods to share common logic between
@@ -201,23 +202,23 @@ public static boolean isInvalidPath(String path) {
201202
* @return {@code true} if the path is invalid, {@code false} otherwise
202203
*/
203204
private static boolean isInvalidEncodedPath(String path) {
204-
if (path.contains("%")) {
205-
String decodedPath = decode(path);
206-
if (decodedPath.contains("%")) {
207-
decodedPath = decode(decodedPath);
208-
}
209-
if (isInvalidPath(decodedPath)) {
210-
return true;
211-
}
212-
decodedPath = normalizeInputPath(decodedPath);
213-
return isInvalidPath(decodedPath);
205+
String decodedPath = decode(path);
206+
if (decodedPath.contains("%")) {
207+
decodedPath = decode(decodedPath);
214208
}
215-
return false;
209+
if (!StringUtils.hasText(decodedPath)) {
210+
return true;
211+
}
212+
if (isInvalidPath(decodedPath)) {
213+
return true;
214+
}
215+
decodedPath = normalizeInputPath(decodedPath);
216+
return isInvalidPath(decodedPath);
216217
}
217218

218219
private static String decode(String path) {
219220
try {
220-
return URLDecoder.decode(path, StandardCharsets.UTF_8);
221+
return UriUtils.decode(path, StandardCharsets.UTF_8);
221222
}
222223
catch (Exception ex) {
223224
return "";

0 commit comments

Comments
 (0)