Sanitize request URL in ResourceUrlEncodingFilter
Prior to this change, ResourceUrlEncodingFilter and ResourceUrlProvider would try to resolve the resource path using the full request URL (i.e. request path and request parameters), whereas the request path is the only information to consider. This would lead to StringIndexOutOfBoundsExceptions when the path + request params information was given to the AntPathMatcher. This commit makes the appropriate change to both ResourceUrlEncodingFilter and ResourceUrlProvider, in order to only select the request path. Issue: SPR-13374
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2014 the original author or authors.
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -106,6 +106,23 @@ public class ResourceUrlEncodingFilterTests {
|
||||
});
|
||||
}
|
||||
|
||||
// SPR-13374
|
||||
@Test
|
||||
public void encodeURLWithRequestParams() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/foo");
|
||||
request.setContextPath("/");
|
||||
request.setAttribute(ResourceUrlProviderExposingInterceptor.RESOURCE_URL_PROVIDER_ATTR, this.resourceUrlProvider);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
this.filter.doFilterInternal(request, response, new FilterChain() {
|
||||
@Override
|
||||
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
|
||||
String result = ((HttpServletResponse)response).encodeURL("/resources/bar.css?foo=bar&url=http://example.org");
|
||||
assertEquals("/resources/bar-11e16cf79faee7ac698c805cf28248d2.css?foo=bar&url=http://example.org", result);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
protected ResourceUrlProvider createResourceUrlProvider(List<ResourceResolver> resolvers) {
|
||||
ResourceHttpRequestHandler handler = new ResourceHttpRequestHandler();
|
||||
handler.setLocations(Arrays.asList(new ClassPathResource("test/", getClass())));
|
||||
|
||||
@@ -29,6 +29,7 @@ import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.mock.web.test.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.test.MockServletContext;
|
||||
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
|
||||
import org.springframework.web.servlet.handler.SimpleUrlHandlerMapping;
|
||||
@@ -74,6 +75,18 @@ public class ResourceUrlProviderTests {
|
||||
assertEquals("/resources/foo.css", url);
|
||||
}
|
||||
|
||||
// SPR-13374
|
||||
@Test
|
||||
public void getStaticResourceUrlRequestWithRequestParams() {
|
||||
initTranslator();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setContextPath("/");
|
||||
request.setRequestURI("/");
|
||||
|
||||
String url = this.translator.getForRequestUrl(request, "/resources/foo.css?foo=bar&url=http://example.org");
|
||||
assertEquals("/resources/foo.css?foo=bar&url=http://example.org", url);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getFingerprintedResourceUrl() {
|
||||
Map<String, VersionStrategy> versionStrategyMap = new HashMap<>();
|
||||
|
||||
Reference in New Issue
Block a user