improve uri validation, check also for // after decoding

grails-plugins · Feb 26, 2014 · 7df99cc · 7df99cc
1 parent 557879c
commit 7df99cc
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/src/groovy/org/grails/plugin/resource/URLUtils.groovy b/src/groovy/org/grails/plugin/resource/URLUtils.groovy
@@ -39,7 +39,7 @@ class URLUtils {
 
     /**
      * Normalizes and decodes uri once.
-     * Check if result contains \ , /../ or /./ after decoding and throws IllegalArgumentException in that case
+     * Check if result contains \ , /../ , /./ or // after decoding and throws IllegalArgumentException in that case
      * 
      * @param uri
      * @return
@@ -53,7 +53,7 @@ class URLUtils {
         }
 
         String decoded = URLDecoder.decode(normalized, "UTF-8")
-        if(decoded.contains('\\') || decoded.contains('/./') || decoded.contains('/../')) {
+        if(decoded.contains('\\') || decoded.contains('/./') || decoded.contains('/../') || decoded.contains('//')) {
             throw new IllegalArgumentException("illegal uri ${uri}")
         }
 

diff --git a/test/unit/org/grails/plugin/resource/URLUtilsSpec.groovy b/test/unit/org/grails/plugin/resource/URLUtilsSpec.groovy
@@ -27,7 +27,7 @@ class URLUtilsSpec extends Specification {
         normalizeUri('/parentdir/a%20b%20c.xml') == '/parentdir/a b c.xml'
     }
 
-    def 'fail if contains .. path travelsal after decoding'() {
+    def 'fail if contains .. path traversal after decoding'() {
         when:
         normalizeUri('/some/path/%2e%2e/some-dir/file.xml')
         then:
@@ -41,7 +41,7 @@ class URLUtilsSpec extends Specification {
         thrown IllegalArgumentException
     }
 
-    def 'fail if contains . path travelsal after decoding'() {
+    def 'fail if contains . path traversal after decoding'() {
         when:
         normalizeUri('/some/path/%2e/some-dir/file.xml')
         then: