Normalize resource URL in ResourceServlet

Issue: SPR-14946
spring-projects · Dec 21, 2016 · a7dc485 · a7dc485
1 parent bd282e6
commit a7dc485
Showing 1 changed file with 7 additions and 8 deletions.
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/ResourceServlet.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/ResourceServlet.java
@@ -17,7 +17,6 @@
 package org.springframework.web.servlet;
 
 import java.io.IOException;
-
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -271,18 +270,18 @@ private void doInclude(HttpServletRequest request, HttpServletResponse response,
 		if (this.contentType != null) {
 			response.setContentType(this.contentType);
 		}
-		String[] resourceUrls =
-			StringUtils.tokenizeToStringArray(resourceUrl, RESOURCE_URL_DELIMITERS);
-		for (int i = 0; i < resourceUrls.length; i++) {
+		String[] resourceUrls = StringUtils.tokenizeToStringArray(resourceUrl, RESOURCE_URL_DELIMITERS);
+		for (String url : resourceUrls) {
+			String path = StringUtils.cleanPath(url);
 			// check whether URL matches allowed resources
-			if (this.allowedResources != null && !this.pathMatcher.match(this.allowedResources, resourceUrls[i])) {
-				throw new ServletException("Resource [" + resourceUrls[i] +
+			if (this.allowedResources != null && !this.pathMatcher.match(this.allowedResources, path)) {
+				throw new ServletException("Resource [" + path +
 						"] does not match allowed pattern [" + this.allowedResources + "]");
 			}
 			if (logger.isDebugEnabled()) {
-				logger.debug("Including resource [" + resourceUrls[i] + "]");
+				logger.debug("Including resource [" + path + "]");
 			}
-			RequestDispatcher rd = request.getRequestDispatcher(resourceUrls[i]);
+			RequestDispatcher rd = request.getRequestDispatcher(path);
 			rd.include(request, response);
 		}
 	}