Do not support relative static resource paths

Closes gh-33687
spring-projects · Oct 14, 2024 · 1a0b577 · 1a0b577
1 parent e191c34
commit 1a0b577
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 2 deletions.
diff --git a/...webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java b/...webflux/src/main/java/org/springframework/web/reactive/resource/ResourceHandlerUtils.java
@@ -140,7 +140,7 @@ public static boolean isInvalidPath(String path) {
 				return true;
 			}
 		}
-		if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
+		if (path.contains("../")) {
 			if (logger.isWarnEnabled()) {
 				logger.warn(LogFormatUtils.formatValue(
 						"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));

diff --git a/...flux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java b/...flux/src/test/java/org/springframework/web/reactive/resource/ResourceWebHandlerTests.java
@@ -687,6 +687,7 @@ void resolvePathWithTraversal(HttpMethod method) throws Exception {
 
 			testResolvePathWithTraversal(method, "../testsecret/secret.txt");
 			testResolvePathWithTraversal(method, "test/../../testsecret/secret.txt");
+			testResolvePathWithTraversal(method, "/testsecret/test/../secret.txt");
 			testResolvePathWithTraversal(method, ":/../../testsecret/secret.txt");
 
 			location = new UrlResource(getClass().getResource("./test/"));

diff --git a/...g-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java b/...g-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHandlerUtils.java
@@ -140,7 +140,7 @@ public static boolean isInvalidPath(String path) {
 				return true;
 			}
 		}
-		if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
+		if (path.contains("../")) {
 			if (logger.isWarnEnabled()) {
 				logger.warn(LogFormatUtils.formatValue(
 						"Path contains \"../\" after call to StringUtils#cleanPath: [" + path + "]", -1, true));

diff --git a/...c/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java b/...c/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
@@ -643,6 +643,7 @@ void shouldRejectInvalidPath() throws Exception {
 			testInvalidPath("../testsecret/secret.txt");
 			testInvalidPath("test/../../testsecret/secret.txt");
 			testInvalidPath(":/../../testsecret/secret.txt");
+			testInvalidPath("/testsecret/test/../secret.txt");
 
 			Resource location = new UrlResource(ResourceHttpRequestHandlerTests.class.getResource("./test/"));
 			this.handler.setLocations(List.of(location));