Sanitize request fragment in ResourceUrlEncodingFilter

neVERberleRfellerER · rstoyanchev · commit 959cf61647b5 · 2018-11-26T13:48:48.000-05:00
Prior to this change, ResourceUrlEncodingFilter would try to resolve
the resource path using request URL without removing fragment first,
whereas only paths should be used.

This commit synchronizes behavior of ResourceUrlEncodingFilter with
behavior of ResourceUrlProvider.

Issue: SPR-17535
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceUrlEncodingFilter.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceUrlEncodingFilter.java
@@ -115,7 +115,7 @@ public String resolveUrlPath(String url) {
 				return null;
 			}
 			if (this.indexLookupPath != null && url.startsWith(this.prefixLookupPath)) {
-				int suffixIndex = getQueryParamsIndex(url);
+				int suffixIndex = getEndPathIndex(url);
 				String suffix = url.substring(suffixIndex);
 				String lookupPath = url.substring(this.indexLookupPath, suffixIndex);
 				lookupPath = this.resourceUrlProvider.getForLookupPath(lookupPath);
@@ -126,9 +126,17 @@ public String resolveUrlPath(String url) {
 			return null;
 		}
 
-		private int getQueryParamsIndex(String url) {
-			int index = url.indexOf('?');
-			return (index > 0 ? index : url.length());
+		private int getEndPathIndex(String lookupPath) {
+			int suffixIndex = lookupPath.length();
+			int queryIndex = lookupPath.indexOf('?');
+			if (queryIndex > 0) {
+				suffixIndex = queryIndex;
+			}
+			int hashIndex = lookupPath.indexOf('#');
+			if (hashIndex > 0) {
+				suffixIndex = Math.min(suffixIndex, hashIndex);
+			}
+			return suffixIndex;
 		}
 	}
 
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceUrlEncodingFilterTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceUrlEncodingFilterTests.java
@@ -173,4 +173,30 @@ public void encodeUrlPreventStringOutOfBounds() throws Exception {
 		});
 	}
 
+	@Test // SPR-17535
+	public void encodeURLWitFragment() throws Exception {
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/foo");
+		request.setContextPath("/");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		this.filter.doFilter(request, response, (req, res) -> {
+			req.setAttribute(ResourceUrlProviderExposingInterceptor.RESOURCE_URL_PROVIDER_ATTR, this.urlProvider);
+			String result = ((HttpServletResponse) res).encodeURL("/resources/bar.css#something");
+			assertEquals("/resources/bar-11e16cf79faee7ac698c805cf28248d2.css#something", result);
+		});
+	}
+
+	@Test // SPR-13374 and SPR-17535 combined
+	public void encodeURLWitFragmentAndRequestParams() throws Exception {
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/foo");
+		request.setContextPath("/");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		this.filter.doFilter(request, response, (req, res) -> {
+			req.setAttribute(ResourceUrlProviderExposingInterceptor.RESOURCE_URL_PROVIDER_ATTR, this.urlProvider);
+			String result = ((HttpServletResponse) res).encodeURL("/resources/bar.css?foo=bar&url=http://example.org#something");
+			assertEquals("/resources/bar-11e16cf79faee7ac698c805cf28248d2.css?foo=bar&url=http://example.org#something", result);
+		});
+	}
+
 }
