[ 
https://issues.apache.org/jira/browse/WW-5645?focusedWorklogId=1029626&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1029626
 ]

ASF GitHub Bot logged work on WW-5645:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Jul/26 15:49
            Start Date: 12/Jul/26 15:49
    Worklog Time Spent: 10m 
      Work Description: lukaszlenart commented on PR #1777:
URL: https://github.com/apache/struts/pull/1777#issuecomment-4951796976

   Thanks for this. Dropping the second `URLDecoder.decode()` in `buildPath()` 
is the right call — the container has already decoded `getServletPath()`, so 
the extra decode was redundant, and removing it (plus the now-unnecessary 
`throws UnsupportedEncodingException`) is a clean correctness fix. Adding 
explicit segment rejection and tests is a good direction too.
   
   A few things I'd tighten — happy for you to handle them here, or I can file 
a WW ticket and pick them up in a follow-up, whichever you prefer:
   
   1. **Prefer per-segment checks over substring matching.** 
`containsMalformedPathSegment` uses `path.contains("..")`, which also rejects 
legitimate names like `foo..bar.js`. `DefaultWebJarUrlProvider.split()` already 
walks segments and rejects `..`/`.` precisely — cleaner to unify on one 
per-segment helper than to add a parallel `contains`-based one, and it avoids 
the false positives.
   2. **Denylist vs. canonicalize.** Enumerating encoded forms (`%2e`) is 
fragile. Normalizing the path (collapse `.`/`..`, `\`→`/`) and confirming it 
stays within the intended prefix is more robust and self-documenting.
   3. **Behavior change to note:** the WebJar path previously rejected `..` 
per-segment (`equals("..")`); routing it through the shared helper broadens 
that to `contains`. Intentional, but worth calling out.
   4. **Minor/structural:** the helper needed a brace fix; indentation of the 
added block and the inline `java.util.Locale.ROOT` (vs. an import) are slightly 
off — worth a tidy pass. And `encoding` is now unused once the decode is gone.
   
   Overall a good cleanup — mostly about making the guard precise and 
consistent with what the WebJar resolver already does.
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1029626)
    Remaining Estimate: 0h
            Time Spent: 10m

> Remove redundant URL decode and harden path handling in static content serving
> ------------------------------------------------------------------------------
>
>                 Key: WW-5645
>                 URL: https://issues.apache.org/jira/browse/WW-5645
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 7.2.1
>            Reporter: Arun Manni
>            Priority: Minor
>             Fix For: 7.3.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> buildPath() in DefaultStaticContentLoader applies URLDecoder.decode() to 
> resource paths that the servlet container has already decoded. This 
> redundant decode serves no purpose and conflicts with the servlet spec's 
> path handling contract.
> This patch removes the unnecessary decode, adds a shared 
> Validator.containsMalformedPathSegment() utility that rejects malformed 
> path segments (dot-dot sequences, backslash separators, and 
> percent-encoded forms), applies it in both the static content and WebJar 
> serving paths, documents the encoding contract on 
> RequestUtils.getServletPath(), and adds test coverage.
> PR: https://github.com/apache/struts/pull/1777



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to