Skip to content

Commit fb7890d

Browse files
rstoyanchevrstoyanchev
committed
Update processPath for double encoding
See gh-33689
1 parent 7c2c4d7 commit fb7890d

File tree

4 files changed

+64
-32
lines changed

4 files changed

+64
-32
lines changed

Diff for: spring-webflux/src/main/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java

+16-8
Original file line numberDiff line numberDiff line change
@@ -148,20 +148,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
148148
}
149149

150150
private static String normalizePath(String path) {
151-
if (path.contains("%")) {
152-
try {
153-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
151+
String result = path;
152+
if (result.contains("%")) {
153+
result = decode(result);
154+
if (result.contains("%")) {
155+
result = decode(result);
154156
}
155-
catch (Exception ex) {
156-
return "";
157-
}
158-
if (path.contains("../")) {
159-
path = StringUtils.cleanPath(path);
157+
if (result.contains("../")) {
158+
return StringUtils.cleanPath(result);
160159
}
161160
}
162161
return path;
163162
}
164163

164+
private static String decode(String path) {
165+
try {
166+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
167+
}
168+
catch (Exception ex) {
169+
return "";
170+
}
171+
}
172+
165173
private boolean isInvalidPath(String path) {
166174
if (path.contains("WEB-INF") || path.contains("META-INF")) {
167175
return true;

Diff for: spring-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java

+16-8
Original file line numberDiff line numberDiff line change
@@ -567,20 +567,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
567567
}
568568

569569
private static String normalizePath(String path) {
570-
if (path.contains("%")) {
571-
try {
572-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
570+
String result = path;
571+
if (result.contains("%")) {
572+
result = decode(result);
573+
if (result.contains("%")) {
574+
result = decode(result);
573575
}
574-
catch (Exception ex) {
575-
return "";
576-
}
577-
if (path.contains("../")) {
578-
path = StringUtils.cleanPath(path);
576+
if (result.contains("../")) {
577+
return StringUtils.cleanPath(result);
579578
}
580579
}
581580
return path;
582581
}
583582

583+
private static String decode(String path) {
584+
try {
585+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
586+
}
587+
catch (Exception ex) {
588+
return "";
589+
}
590+
}
591+
584592
/**
585593
* Check whether the given path contains invalid escape sequences.
586594
* @param path the path to validate

Diff for: spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java

+16-8
Original file line numberDiff line numberDiff line change
@@ -149,20 +149,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
149149
}
150150

151151
private static String normalizePath(String path) {
152-
if (path.contains("%")) {
153-
try {
154-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
152+
String result = path;
153+
if (result.contains("%")) {
154+
result = decode(result);
155+
if (result.contains("%")) {
156+
result = decode(result);
155157
}
156-
catch (Exception ex) {
157-
return "";
158-
}
159-
if (path.contains("../")) {
160-
path = StringUtils.cleanPath(path);
158+
if (result.contains("../")) {
159+
return StringUtils.cleanPath(result);
161160
}
162161
}
163162
return path;
164163
}
165164

165+
private static String decode(String path) {
166+
try {
167+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
168+
}
169+
catch (Exception ex) {
170+
return "";
171+
}
172+
}
173+
166174
private boolean isInvalidPath(String path) {
167175
if (path.contains("WEB-INF") || path.contains("META-INF")) {
168176
return true;

Diff for: spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java

+16-8
Original file line numberDiff line numberDiff line change
@@ -726,20 +726,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
726726
}
727727

728728
private static String normalizePath(String path) {
729-
if (path.contains("%")) {
730-
try {
731-
path = URLDecoder.decode(path, StandardCharsets.UTF_8);
729+
String result = path;
730+
if (result.contains("%")) {
731+
result = decode(result);
732+
if (result.contains("%")) {
733+
result = decode(result);
732734
}
733-
catch (Exception ex) {
734-
return "";
735-
}
736-
if (path.contains("../")) {
737-
path = StringUtils.cleanPath(path);
735+
if (result.contains("../")) {
736+
return StringUtils.cleanPath(result);
738737
}
739738
}
740739
return path;
741740
}
742741

742+
private static String decode(String path) {
743+
try {
744+
return URLDecoder.decode(path, StandardCharsets.UTF_8);
745+
}
746+
catch (Exception ex) {
747+
return "";
748+
}
749+
}
750+
743751
/**
744752
* Check whether the given path contains invalid escape sequences.
745753
* @param path the path to validate

0 commit comments

Comments
 (0)