Merge pull request #25415 from thenx-wei/master

poutsma · poutsma · commit 74d3044641ff · 2020-07-20T11:11:14.000+02:00
* gh-25415: Simplify PathResourceLookupFunction
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/function/PathResourceLookupFunction.java
@@ -110,10 +110,7 @@ private boolean isInvalidPath(String path) {
 				return true;
 			}
 		}
-		if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
-				return true;
-			}
-		return false;
+		return path.contains("..") && StringUtils.cleanPath(path).contains("../");
 	}
 
 	private boolean isResourceUnderLocation(Resource resource) throws IOException {
@@ -144,10 +141,8 @@ else if (resource instanceof ClassPathResource) {
 		if (!resourcePath.startsWith(locationPath)) {
 			return false;
 		}
-		if (resourcePath.contains("%") && StringUtils.uriDecode(resourcePath, StandardCharsets.UTF_8).contains("../")) {
-			return false;
-		}
-		return true;
+		return !resourcePath.contains("%") ||
+				!StringUtils.uriDecode(resourcePath, StandardCharsets.UTF_8).contains("../");
 	}
 
 

Original file line number	Diff line number	Diff line change
`@@ -110,10 +110,7 @@ private boolean isInvalidPath(String path) {`
`110`	`110`	`return true;`
`111`	`111`	`}`
`112`	`112`	`}`
`113`		`- if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {`
`114`		`- return true;`
`115`		`- }`
`116`		`- return false;`
	`113`	`+ return path.contains("..") && StringUtils.cleanPath(path).contains("../");`
`117`	`114`	`}`
`118`	`115`
`119`	`116`	`private boolean isResourceUnderLocation(Resource resource) throws IOException {`
`@@ -144,10 +141,8 @@ else if (resource instanceof ClassPathResource) {`
`144`	`141`	`if (!resourcePath.startsWith(locationPath)) {`
`145`	`142`	`return false;`
`146`	`143`	`}`
`147`		`- if (resourcePath.contains("%") && StringUtils.uriDecode(resourcePath, StandardCharsets.UTF_8).contains("../")) {`
`148`		`- return false;`
`149`		`- }`
`150`		`- return true;`
	`144`	`+ return !resourcePath.contains("%") \|\|`
	`145`	`+ !StringUtils.uriDecode(resourcePath, StandardCharsets.UTF_8).contains("../");`
`151`	`146`	`}`
`152`	`147`
`153`	`148`