Decode static resource path with UriUtils

rstoyanchev · rstoyanchev · commit e78179b96e41 · 2024-11-12T10:16:05.000Z
Closes gh-33859
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java b/spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
@@ -149,21 +149,22 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 
 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
@@ -56,6 +56,7 @@
 import org.springframework.web.server.MethodNotAllowedException;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebHandler;
+import org.springframework.web.util.UriUtils;
 import org.springframework.web.util.pattern.PathPattern;
 
 /**
@@ -568,21 +569,22 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 
 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
@@ -150,21 +150,22 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 
 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
@@ -63,6 +63,7 @@
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.servlet.HandlerMapping;
 import org.springframework.web.servlet.support.WebContentGenerator;
+import org.springframework.web.util.UriUtils;
 import org.springframework.web.util.UrlPathHelper;
 
 /**
@@ -727,21 +728,22 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 
 	private static String normalizePath(String path) {
 		String result = path;
+		result = decode(result);
 		if (result.contains("%")) {
 			result = decode(result);
-			if (result.contains("%")) {
-				result = decode(result);
-			}
-			if (result.contains("../")) {
-				return StringUtils.cleanPath(result);
-			}
+		}
+		if (!StringUtils.hasText(result)) {
+			return result;
+		}
+		if (result.contains("../")) {
+			return StringUtils.cleanPath(result);
 		}
 		return path;
 	}
 
 	private static String decode(String path) {
 		try {
-			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+			return UriUtils.decode(path, StandardCharsets.UTF_8);
 		}
 		catch (Exception ex) {
 			return "";
