Update processPath for double encoding

See spring-projectsgh-33689 (cherry picked from commit fb7890d)
tomitribe · Nov 4, 2024 · bf44f69 · bf44f69
1 parent c3187ec
commit bf44f69
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 32 deletions.
diff --git a/...ain/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java b/...ain/java/org/springframework/web/reactive/function/server/PathResourceLookupFunction.java
@@ -148,20 +148,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 	}
 
 	private static String normalizePath(String path) {
-		if (path.contains("%")) {
-			try {
-				path = URLDecoder.decode(path, StandardCharsets.UTF_8);
+		String result = path;
+		if (result.contains("%")) {
+			result = decode(result);
+			if (result.contains("%")) {
+				result = decode(result);
 			}
-			catch (Exception ex) {
-				return "";
-			}
-			if (path.contains("../")) {
-				path = StringUtils.cleanPath(path);
+			if (result.contains("../")) {
+				return StringUtils.cleanPath(result);
 			}
 		}
 		return path;
 	}
 
+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	private boolean isInvalidPath(String path) {
 		if (path.contains("WEB-INF") || path.contains("META-INF")) {
 			return true;

diff --git a/...g-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java b/...g-webflux/src/main/java/org/springframework/web/reactive/resource/ResourceWebHandler.java
@@ -540,20 +540,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 	}
 
 	private static String normalizePath(String path) {
-		if (path.contains("%")) {
-			try {
-				path = URLDecoder.decode(path, StandardCharsets.UTF_8);
+		String result = path;
+		if (result.contains("%")) {
+			result = decode(result);
+			if (result.contains("%")) {
+				result = decode(result);
 			}
-			catch (Exception ex) {
-				return "";
-			}
-			if (path.contains("../")) {
-				path = StringUtils.cleanPath(path);
+			if (result.contains("../")) {
+				return StringUtils.cleanPath(result);
 			}
 		}
 		return path;
 	}
 
+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	/**
 	 * Check whether the given path contains invalid escape sequences.
 	 * @param path the path to validate

diff --git a/...vc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java b/...vc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
@@ -149,20 +149,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 	}
 
 	private static String normalizePath(String path) {
-		if (path.contains("%")) {
-			try {
-				path = URLDecoder.decode(path, StandardCharsets.UTF_8);
+		String result = path;
+		if (result.contains("%")) {
+			result = decode(result);
+			if (result.contains("%")) {
+				result = decode(result);
 			}
-			catch (Exception ex) {
-				return "";
-			}
-			if (path.contains("../")) {
-				path = StringUtils.cleanPath(path);
+			if (result.contains("../")) {
+				return StringUtils.cleanPath(result);
 			}
 		}
 		return path;
 	}
 
+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	private boolean isInvalidPath(String path) {
 		if (path.contains("WEB-INF") || path.contains("META-INF")) {
 			return true;

diff --git a/...vc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java b/...vc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
@@ -694,20 +694,28 @@ else if (path.charAt(i) > ' ' && path.charAt(i) != 127) {
 	}
 
 	private static String normalizePath(String path) {
-		if (path.contains("%")) {
-			try {
-				path = URLDecoder.decode(path, StandardCharsets.UTF_8);
+		String result = path;
+		if (result.contains("%")) {
+			result = decode(result);
+			if (result.contains("%")) {
+				result = decode(result);
 			}
-			catch (Exception ex) {
-				return "";
-			}
-			if (path.contains("../")) {
-				path = StringUtils.cleanPath(path);
+			if (result.contains("../")) {
+				return StringUtils.cleanPath(result);
 			}
 		}
 		return path;
 	}
 
+	private static String decode(String path) {
+		try {
+			return URLDecoder.decode(path, StandardCharsets.UTF_8);
+		}
+		catch (Exception ex) {
+			return "";
+		}
+	}
+
 	/**
 	 * Check whether the given path contains invalid escape sequences.
 	 * @param path the path to validate