spring-projects
diff --git a/‎SPR-12354.txt
+137 b/‎SPR-12354.txt
+137
diff --git a/‎spring-web/src/main/java/org/springframework/http/client/Netty4ClientHttpRequest.java
+34-37 b/‎spring-web/src/main/java/org/springframework/http/client/Netty4ClientHttpRequest.java
+34-37
diff --git a/‎spring-web/src/main/java/org/springframework/http/client/Netty4ClientHttpRequestFactory.java
+26-25 b/‎spring-web/src/main/java/org/springframework/http/client/Netty4ClientHttpRequestFactory.java
+26-25
@@ -0,0 +1,137 @@
+diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
+index e36c08c..acb9459 100644
+--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
++++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java
+@@ -36,6 +36,7 @@ import org.springframework.http.MediaType;
+ import org.springframework.util.Assert;
+ import org.springframework.util.ClassUtils;
+ import org.springframework.util.CollectionUtils;
++import org.springframework.util.ResourceUtils;
+ import org.springframework.util.StreamUtils;
+ import org.springframework.util.StringUtils;
+ import org.springframework.web.HttpRequestHandler;
+@@ -237,14 +238,29 @@ public class ResourceHttpRequestHandler extends WebContentGenerator implements H
+ 	}
+ 
+ 	/**
+-	 * Validates the given path: returns {@code true} if the given path is not a valid resource path.
+-	 * <p>The default implementation rejects paths containing "WEB-INF" or "META-INF" as well as paths
+-	 * with relative paths ("../") that result in access of a parent directory.
++	 * Identifies invalid resource paths. By default rejects:
++	 * <ul>
++	 * <li>Paths that contain "WEB-INF" or "META-INF".
++	 * <li>Paths that contain "../" after {@link org.springframework.util.StringUtils#cleanPath}.
++	 * <li>Paths identified as a URL via {@link org.springframework.util.ResourceUtils#isUrl}.
++	 * </ul>
+ 	 * @param path the path to validate
+-	 * @return {@code true} if the path has been recognized as invalid, {@code false} otherwise
++	 * @return {@code true} if the path is invalid, {@code false} otherwise
+ 	 */
+ 	protected boolean isInvalidPath(String path) {
+-		return (path.contains("WEB-INF") || path.contains("META-INF") || StringUtils.cleanPath(path).startsWith(".."));
++		if (path.contains("WEB-INF") || path.contains("META-INF")) {
++			return true;
++		}
++		if (path.contains("../")) {
++			path = StringUtils.cleanPath(path);
++			if (path.contains("../")) {
++				return true;
++			}
++		}
++		if (path.contains(":") && ResourceUtils.isUrl(path)) {
++			return true;
++		}
++		return false;
+ 	}
+ 
+ 	/**
+diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
+index 07268a3..69ca52f 100644
+--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
++++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandlerTests.java
+@@ -16,25 +16,26 @@
+ 
+ package org.springframework.web.servlet.resource;
+ 
++import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertTrue;
++
+ import java.io.IOException;
+ import java.util.ArrayList;
+-import java.util.Arrays;
+ import java.util.List;
++
+ import javax.servlet.http.HttpServletResponse;
+ 
+ import org.junit.Before;
+ import org.junit.Test;
+-
+ import org.springframework.core.io.ClassPathResource;
+ import org.springframework.core.io.Resource;
++import org.springframework.core.io.UrlResource;
+ import org.springframework.mock.web.test.MockHttpServletRequest;
+ import org.springframework.mock.web.test.MockHttpServletResponse;
+ import org.springframework.mock.web.test.MockServletContext;
+ import org.springframework.web.HttpRequestMethodNotSupportedException;
+ import org.springframework.web.servlet.HandlerMapping;
+ 
+-import static org.junit.Assert.*;
+-
+ /**
+  * Unit tests for ResourceHttpRequestHandler.
+  *
+@@ -126,7 +127,7 @@ public class ResourceHttpRequestHandlerTests {
+ 	}
+ 
+ 	@Test
+-	public void getResourceViaDirectoryTraversal() throws Exception {
++	public void directoryTraversalWithRelativePath() throws Exception {
+ 		this.request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE, "../testsecret/secret.txt");
+ 		this.handler.handleRequest(this.request, this.response);
+ 		assertEquals(404, this.response.getStatus());
+@@ -136,13 +137,40 @@ public class ResourceHttpRequestHandlerTests {
+ 		this.handler.handleRequest(this.request, this.response);
+ 		assertEquals(404, this.response.getStatus());
+ 
+-		this.handler.setLocations(Arrays.<Resource>asList(new ClassPathResource("testsecret/", getClass())));
+-		this.request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE, "secret.txt");
++		// SPR-12354 for ":/../"
++
++		this.request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE, ":/../../testsecret/secret.txt");
++		this.response = new MockHttpServletResponse();
++		this.handler.handleRequest(this.request, this.response);
++		assertEquals(404, this.response.getStatus());
++
++		// Also "prove" secret.txt does exist
++		Resource location = this.handler.getLocations().get(0);
++		assertTrue(location.createRelative("../testsecret/secret.txt").exists());
++	}
++
++	// SPR-12354 for "file:/"
++
++	@Test
++	public void directoryTraversalWithUrl() throws Exception {
++
++		// Add any file based location
++		this.handler.getLocations().add(new UrlResource(getClass().getResource(".")));
++
++		Resource resource = new UrlResource(getClass().getResource("testsecret/secret.txt"));
++		this.request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE, resource.getURL().toString());
++		this.handler.handleRequest(this.request, this.response);
++		assertEquals(404, this.response.getStatus());
++
++		resource = new UrlResource(getClass().getResource("testsecret/secret.txt"));
++		this.request.setAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE, "../" + resource.getURL().toString());
+ 		this.response = new MockHttpServletResponse();
+ 		this.handler.handleRequest(this.request, this.response);
+-		assertEquals(200, this.response.getStatus());
+-		assertEquals("text/plain", this.response.getContentType());
+-		assertEquals("big secret", this.response.getContentAsString());
++		assertEquals(404, this.response.getStatus());
++
++		// Also "prove" secret.txt does exist
++		Resource location = this.handler.getLocations().get(0);
++		assertTrue(location.createRelative("../testsecret/secret.txt").exists());
+ 	}
+ 
+ 	@Test
@@ -60,13 +60,15 @@ class Netty4ClientHttpRequest extends AbstractAsyncClientHttpRequest implements
 
 	private final ByteBufOutputStream body;
 
+
 	Netty4ClientHttpRequest(Bootstrap bootstrap, URI uri, HttpMethod method, int maxRequestSize) {
 		this.bootstrap = bootstrap;
 		this.uri = uri;
 		this.method = method;
 		this.body = new ByteBufOutputStream(Unpooled.buffer(maxRequestSize));
 	}
 
+
 	@Override
 	public HttpMethod getMethod() {
 		return this.method;
@@ -83,8 +85,7 @@ protected OutputStream getBodyInternal(HttpHeaders headers) throws IOException {
 	}
 
 	@Override
-	protected ListenableFuture<ClientHttpResponse> executeInternal(final HttpHeaders headers)
-			throws IOException {
+	protected ListenableFuture<ClientHttpResponse> executeInternal(final HttpHeaders headers) throws IOException {
 		final SettableListenableFuture<ClientHttpResponse> responseFuture =
 				new SettableListenableFuture<ClientHttpResponse>();
 
@@ -93,42 +94,19 @@ protected ListenableFuture<ClientHttpResponse> executeInternal(final HttpHeaders
 			public void operationComplete(ChannelFuture future) throws Exception {
 				if (future.isSuccess()) {
 					Channel channel = future.channel();
-					channel.pipeline()
-							.addLast(new SimpleChannelInboundHandler<FullHttpResponse>() {
-
-										@Override
-										protected void channelRead0(
-												ChannelHandlerContext ctx,
-												FullHttpResponse msg) throws Exception {
-											responseFuture
-													.set(new Netty4ClientHttpResponse(ctx,
-															msg));
-										}
-
-										@Override
-										public void exceptionCaught(
-												ChannelHandlerContext ctx,
-												Throwable cause) throws Exception {
-											responseFuture.setException(cause);
-										}
-									});
-
-					FullHttpRequest nettyRequest =
-							createFullHttpRequest(headers);
-
+					channel.pipeline().addLast(new RequestExecuteHandler(responseFuture));
+					FullHttpRequest nettyRequest = createFullHttpRequest(headers);
 					channel.writeAndFlush(nettyRequest);
 				}
 				else {
 					responseFuture.setException(future.cause());
 				}
-
 			}
 		};
 
-		bootstrap.connect(uri.getHost(), getPort(uri)).addListener(connectionListener);
+		this.bootstrap.connect(this.uri.getHost(), getPort(this.uri)).addListener(connectionListener);
 
 		return responseFuture;
-
 	}
 
 	@Override
@@ -142,7 +120,8 @@ public ClientHttpResponse execute() throws IOException {
 		catch (ExecutionException ex) {
 			if (ex.getCause() instanceof IOException) {
 				throw (IOException) ex.getCause();
-			} else {
+			}
+			else {
 				throw new IOException(ex.getMessage(), ex);
 			}
 		}
@@ -163,17 +142,13 @@ else if ("https".equalsIgnoreCase(uri.getScheme())) {
 
 	private FullHttpRequest createFullHttpRequest(HttpHeaders headers) {
 		io.netty.handler.codec.http.HttpMethod nettyMethod =
-				io.netty.handler.codec.http.HttpMethod.valueOf(method.name());
+				io.netty.handler.codec.http.HttpMethod.valueOf(this.method.name());
 
 		FullHttpRequest nettyRequest = new DefaultFullHttpRequest(HttpVersion.HTTP_1_1,
-				nettyMethod, this.uri.getRawPath(),
-				this.body.buffer());
+				nettyMethod, this.uri.getRawPath(), this.body.buffer());
 
-		nettyRequest.headers()
-				.set(io.netty.handler.codec.http.HttpHeaders.Names.HOST, uri.getHost());
-		nettyRequest.headers()
-				.set(io.netty.handler.codec.http.HttpHeaders.Names.CONNECTION,
-						io.netty.handler.codec.http.HttpHeaders.Values.CLOSE);
+		nettyRequest.headers().set(HttpHeaders.HOST, uri.getHost());
+		nettyRequest.headers().set(HttpHeaders.CONNECTION, io.netty.handler.codec.http.HttpHeaders.Values.CLOSE);
 
 		for (Map.Entry<String, List<String>> entry : headers.entrySet()) {
 			nettyRequest.headers().add(entry.getKey(), entry.getValue());
@@ -183,4 +158,26 @@ private FullHttpRequest createFullHttpRequest(HttpHeaders headers) {
 	}
 
 
+	/**
+	 * A SimpleChannelInboundHandler to update the given SettableListenableFuture.
+	 */
+	private static class RequestExecuteHandler extends SimpleChannelInboundHandler<FullHttpResponse> {
+
+		private final SettableListenableFuture<ClientHttpResponse> responseFuture;
+
+		public RequestExecuteHandler(SettableListenableFuture<ClientHttpResponse> responseFuture) {
+			this.responseFuture = responseFuture;
+		}
+
+		@Override
+		protected void channelRead0(ChannelHandlerContext context, FullHttpResponse response) throws Exception {
+			this.responseFuture.set(new Netty4ClientHttpResponse(context, response));
+		}
+
+		@Override
+		public void exceptionCaught(ChannelHandlerContext context, Throwable cause) throws Exception {
+			this.responseFuture.setException(cause);
+		}
+	}
+
 }
@@ -45,16 +45,16 @@
  * @author Arjen Poutsma
  * @since 4.2
  */
-public class Netty4ClientHttpRequestFactory
-		implements ClientHttpRequestFactory, AsyncClientHttpRequestFactory,
-		InitializingBean, DisposableBean {
+public class Netty4ClientHttpRequestFactory implements ClientHttpRequestFactory,
+		AsyncClientHttpRequestFactory, InitializingBean, DisposableBean {
 
 	/**
 	 * The default maximum request size.
 	 * @see #setMaxRequestSize(int)
 	 */
 	public static final int DEFAULT_MAX_REQUEST_SIZE = 1024 * 1024 * 10;
 
+
 	private final EventLoopGroup eventLoopGroup;
 
 	private final boolean defaultEventLoopGroup;
@@ -65,18 +65,19 @@ public class Netty4ClientHttpRequestFactory
 
 	private Bootstrap bootstrap;
 
+
 	/**
-	 * Creates a new {@code Netty4ClientHttpRequestFactory} with a default
+	 * Create a new {@code Netty4ClientHttpRequestFactory} with a default
 	 * {@link NioEventLoopGroup}.
 	 */
 	public Netty4ClientHttpRequestFactory() {
 		int ioWorkerCount = Runtime.getRuntime().availableProcessors() * 2;
-		eventLoopGroup = new NioEventLoopGroup(ioWorkerCount);
-		defaultEventLoopGroup = true;
+		this.eventLoopGroup = new NioEventLoopGroup(ioWorkerCount);
+		this.defaultEventLoopGroup = true;
 	}
 
 	/**
-	 * Creates a new {@code Netty4ClientHttpRequestFactory} with the given
+	 * Create a new {@code Netty4ClientHttpRequestFactory} with the given
 	 * {@link EventLoopGroup}.
 	 *
 	 * <p><b>NOTE:</b> the given group will <strong>not</strong> be
@@ -89,17 +90,20 @@ public Netty4ClientHttpRequestFactory(EventLoopGroup eventLoopGroup) {
 		this.defaultEventLoopGroup = false;
 	}
 
+
 	/**
-	 * Sets the default maximum request size. The default is
-	 * {@link #DEFAULT_MAX_REQUEST_SIZE}.
+	 * Set the default maximum request size.
+	 * <p>By default this is set to {@link #DEFAULT_MAX_REQUEST_SIZE}.
 	 * @see HttpObjectAggregator#HttpObjectAggregator(int)
 	 */
 	public void setMaxRequestSize(int maxRequestSize) {
 		this.maxRequestSize = maxRequestSize;
 	}
 
 	/**
-	 * Sets the SSL context.
+	 * Set the SSL context. When configured it is used to create and insert an
+	 * {@link io.netty.handler.ssl.SslHandler} in the channel pipeline.
+	 * <p>By default this is not set.
 	 */
 	public void setSslContext(SslContext sslContext) {
 		this.sslContext = sslContext;
@@ -108,14 +112,14 @@ public void setSslContext(SslContext sslContext) {
 	private Bootstrap getBootstrap() {
 		if (this.bootstrap == null) {
 			Bootstrap bootstrap = new Bootstrap();
-			bootstrap.group(eventLoopGroup).channel(NioSocketChannel.class)
+			bootstrap.group(this.eventLoopGroup).channel(NioSocketChannel.class)
 					.handler(new ChannelInitializer<SocketChannel>() {
 						@Override
-						protected void initChannel(SocketChannel ch) throws Exception {
-							ChannelPipeline pipeline = ch.pipeline();
+						protected void initChannel(SocketChannel channel) throws Exception {
+							ChannelPipeline pipeline = channel.pipeline();
 
 							if (sslContext != null) {
-								pipeline.addLast(sslContext.newHandler(ch.alloc()));
+								pipeline.addLast(sslContext.newHandler(channel.alloc()));
 							}
 							pipeline.addLast(new HttpClientCodec());
 							pipeline.addLast(new HttpObjectAggregator(maxRequestSize));
@@ -131,29 +135,26 @@ public void afterPropertiesSet() throws Exception {
 		getBootstrap();
 	}
 
-	private Netty4ClientHttpRequest createRequestInternal(URI uri, HttpMethod httpMethod) {
-		return new Netty4ClientHttpRequest(getBootstrap(), uri, httpMethod, maxRequestSize);
-	}
-
 	@Override
-	public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod)
-			throws IOException {
+	public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IOException {
 		return createRequestInternal(uri, httpMethod);
 	}
 
 	@Override
-	public AsyncClientHttpRequest createAsyncRequest(URI uri, HttpMethod httpMethod)
-			throws IOException {
+	public AsyncClientHttpRequest createAsyncRequest(URI uri, HttpMethod httpMethod) throws IOException {
 		return createRequestInternal(uri, httpMethod);
 	}
 
+	private Netty4ClientHttpRequest createRequestInternal(URI uri, HttpMethod httpMethod) {
+		return new Netty4ClientHttpRequest(getBootstrap(), uri, httpMethod, this.maxRequestSize);
+	}
+
 	@Override
 	public void destroy() throws InterruptedException {
-		if (defaultEventLoopGroup) {
+		if (this.defaultEventLoopGroup) {
 			// clean up the EventLoopGroup if we created it in the constructor
-			eventLoopGroup.shutdownGracefully().sync();
+			this.eventLoopGroup.shutdownGracefully().sync();
 		}
 	}
 
-
 }