Add efficient existence check to ClassPathResource.isReadable()
Includes reduced isReadable() check in PathResourceLookupFunction, aligned with PathResourceResolver. Closes gh-27538 See gh-21372
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -88,7 +88,15 @@ public abstract class AbstractFileResolvingResource extends AbstractResource {
|
||||
@Override
|
||||
public boolean isReadable() {
|
||||
try {
|
||||
URL url = getURL();
|
||||
return checkReadable(getURL());
|
||||
}
|
||||
catch (IOException ex) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
boolean checkReadable(URL url) {
|
||||
try {
|
||||
if (ResourceUtils.isFileURL(url)) {
|
||||
// Proceed with file system resolution
|
||||
File file = getFile();
|
||||
|
||||
@@ -142,6 +142,18 @@ public class ClassPathResource extends AbstractFileResolvingResource {
|
||||
return (resolveURL() != null);
|
||||
}
|
||||
|
||||
/**
|
||||
* This implementation checks for the resolution of a resource URL upfront,
|
||||
* then proceeding with {@link AbstractFileResolvingResource}'s length check.
|
||||
* @see java.lang.ClassLoader#getResource(String)
|
||||
* @see java.lang.Class#getResource(String)
|
||||
*/
|
||||
@Override
|
||||
public boolean isReadable() {
|
||||
URL url = resolveURL();
|
||||
return (url != null && checkReadable(url));
|
||||
}
|
||||
|
||||
/**
|
||||
* Resolves a URL for the underlying class path resource.
|
||||
* @return the resolved URL, or {@code null} if not resolvable
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -72,7 +72,7 @@ class PathResourceLookupFunction implements Function<ServerRequest, Mono<Resourc
|
||||
|
||||
try {
|
||||
Resource resource = this.location.createRelative(path);
|
||||
if (resource.exists() && resource.isReadable() && isResourceUnderLocation(resource)) {
|
||||
if (resource.isReadable() && isResourceUnderLocation(resource)) {
|
||||
return Mono.just(resource);
|
||||
}
|
||||
else {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -71,7 +71,7 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||
|
||||
try {
|
||||
Resource resource = this.location.createRelative(path);
|
||||
if (resource.exists() && resource.isReadable() && isResourceUnderLocation(resource)) {
|
||||
if (resource.isReadable() && isResourceUnderLocation(resource)) {
|
||||
return Optional.of(resource);
|
||||
}
|
||||
else {
|
||||
@@ -110,10 +110,7 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||
return true;
|
||||
}
|
||||
}
|
||||
if (path.contains("..") && StringUtils.cleanPath(path).contains("../")) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
return path.contains("..") && StringUtils.cleanPath(path).contains("../");
|
||||
}
|
||||
|
||||
private boolean isResourceUnderLocation(Resource resource) throws IOException {
|
||||
@@ -144,10 +141,8 @@ class PathResourceLookupFunction implements Function<ServerRequest, Optional<Res
|
||||
if (!resourcePath.startsWith(locationPath)) {
|
||||
return false;
|
||||
}
|
||||
if (resourcePath.contains("%") && StringUtils.uriDecode(resourcePath, StandardCharsets.UTF_8).contains("../")) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
return !resourcePath.contains("%") ||
|
||||
!StringUtils.uriDecode(resourcePath, StandardCharsets.UTF_8).contains("../");
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user