Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal with static resource handling (CVE-2014-3625) [SPR-12354] #16959

spring-projects-issues opened this issue Oct 20, 2014 · 0 comments


Copy link

@spring-projects-issues spring-projects-issues commented Oct 20, 2014

Rossen Stoyanchev opened SPR-12354 and commented

This is related to the "directory traversal" report CVE-2014-3625.

Affects: 3.2.11, 4.0.7, 4.1.1

Referenced from: commits 1214624, 379d2e6, 3f68cd6, 161d3e3, 9beae9a, 9cef8e3

Backported to: 4.0.8, 3.2.12

@spring-projects-issues spring-projects-issues added this to the 4.1.2 milestone Jan 11, 2019
bclozel added a commit to bclozel/spring-framework that referenced this issue Feb 26, 2019
Prior to this commit, the `PathResourceResolver` would check several
things before resolving static resources:

* make sure that the resolved resource is under an authorized location
* make sure that the whole resource path does not contain illegal chars
(combinations of URL encoded "%" chars and "../" path traversal)

In some cases, those checks may be too strict and limit legal usage like
the following:

1) configuring a static location such as "file: ../client-module/src"
2) trying to resolve an NPM-versioned resource like

This commit performs the invalid character checks on the incoming
resource path only, considering that the configured location path is
trusted by the user. The location checks are still performed.

See spring-projectsgh-16959
Closes gh-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants