|
|
@ -284,16 +284,7 @@ public class PathResourceResolver extends AbstractResourceResolver { |
|
|
|
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
|
|
|
// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
|
|
|
|
try { |
|
|
|
try { |
|
|
|
String decodedPath = URLDecoder.decode(resourcePath, "UTF-8"); |
|
|
|
String decodedPath = URLDecoder.decode(resourcePath, "UTF-8"); |
|
|
|
int separatorIndex = decodedPath.indexOf("..") + 2; |
|
|
|
return (decodedPath.contains("../") || decodedPath.contains("..\\")); |
|
|
|
if (separatorIndex > 1 && separatorIndex < decodedPath.length()) { |
|
|
|
|
|
|
|
char separator = decodedPath.charAt(separatorIndex); |
|
|
|
|
|
|
|
if (separator == '/' || separator == '\\') { |
|
|
|
|
|
|
|
if (logger.isTraceEnabled()) { |
|
|
|
|
|
|
|
logger.trace("Resolved resource path contains \"../\" after decoding: " + resourcePath); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return true; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
catch (UnsupportedEncodingException ex) { |
|
|
|
catch (UnsupportedEncodingException ex) { |
|
|
|
// Should never happen...
|
|
|
|
// Should never happen...
|
|
|
|