[
https://issues.apache.org/jira/browse/WW-5645?focusedWorklogId=1029626&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1029626
]
ASF GitHub Bot logged work on WW-5645:
--------------------------------------
Author: ASF GitHub Bot
Created on: 12/Jul/26 15:49
Start Date: 12/Jul/26 15:49
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on PR #1777:
URL: https://github.com/apache/struts/pull/1777#issuecomment-4951796976
Thanks for this. Dropping the second `URLDecoder.decode()` in `buildPath()`
is the right call — the container has already decoded `getServletPath()`, so
the extra decode was redundant, and removing it (plus the now-unnecessary
`throws UnsupportedEncodingException`) is a clean correctness fix. Adding
explicit segment rejection and tests is a good direction too.
A few things I'd tighten — happy for you to handle them here, or I can file
a WW ticket and pick them up in a follow-up, whichever you prefer:
1. **Prefer per-segment checks over substring matching.**
`containsMalformedPathSegment` uses `path.contains("..")`, which also rejects
legitimate names like `foo..bar.js`. `DefaultWebJarUrlProvider.split()` already
walks segments and rejects `..`/`.` precisely — cleaner to unify on one
per-segment helper than to add a parallel `contains`-based one, and it avoids
the false positives.
2. **Denylist vs. canonicalize.** Enumerating encoded forms (`%2e`) is
fragile. Normalizing the path (collapse `.`/`..`, `\`→`/`) and confirming it
stays within the intended prefix is more robust and self-documenting.
3. **Behavior change to note:** the WebJar path previously rejected `..`
per-segment (`equals("..")`); routing it through the shared helper broadens
that to `contains`. Intentional, but worth calling out.
4. **Minor/structural:** the helper needed a brace fix; indentation of the
added block and the inline `java.util.Locale.ROOT` (vs. an import) are slightly
off — worth a tidy pass. And `encoding` is now unused once the decode is gone.
Overall a good cleanup — mostly about making the guard precise and
consistent with what the WebJar resolver already does.
Issue Time Tracking
-------------------
Worklog Id: (was: 1029626)
Remaining Estimate: 0h
Time Spent: 10m
> Remove redundant URL decode and harden path handling in static content serving
> ------------------------------------------------------------------------------
>
> Key: WW-5645
> URL: https://issues.apache.org/jira/browse/WW-5645
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 7.2.1
> Reporter: Arun Manni
> Priority: Minor
> Fix For: 7.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> buildPath() in DefaultStaticContentLoader applies URLDecoder.decode() to
> resource paths that the servlet container has already decoded. This
> redundant decode serves no purpose and conflicts with the servlet spec's
> path handling contract.
> This patch removes the unnecessary decode, adds a shared
> Validator.containsMalformedPathSegment() utility that rejects malformed
> path segments (dot-dot sequences, backslash separators, and
> percent-encoded forms), applies it in both the static content and WebJar
> serving paths, documents the encoding contract on
> RequestUtils.getServletPath(), and adds test coverage.
> PR: https://github.com/apache/struts/pull/1777
--
This message was sent by Atlassian Jira
(v8.20.10#820010)