Static resource support does not handle requests for a file with % character in its name

[wilkinsona]

Affects: 5.2.0.RC1 (earlier versions may also be affected)

When a request is made for a static resource with a % in its file name, PathResourceResolver attempts to decode the path to check for the presence of encoded ../ or ..\. This fails when the path is, for example, test%file.txt from a GET request for /test%25file.txt. The failure is the following:

Caused by: java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "fi"
	at java.net.URLDecoder.decode(URLDecoder.java:194) ~[na:1.8.0_181]
	at org.springframework.web.servlet.resource.PathResourceResolver.isInvalidEncodedPath(PathResourceResolver.java:285) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.PathResourceResolver.isResourceUnderLocation(PathResourceResolver.java:254) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.PathResourceResolver.checkResource(PathResourceResolver.java:211) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.PathResourceResolver.getResource(PathResourceResolver.java:186) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.PathResourceResolver.getResource(PathResourceResolver.java:154) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.PathResourceResolver.resolveResourceInternal(PathResourceResolver.java:136) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.AbstractResourceResolver.resolveResource(AbstractResourceResolver.java:45) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.DefaultResourceResolverChain.resolveResource(DefaultResourceResolverChain.java:74) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.getResource(ResourceHttpRequestHandler.java:526) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:451) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:53) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1039) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005) ~[spring-webmvc-5.2.0.RC1.jar:5.2.0.RC1]
	... 47 common frames omitted

[Sauhardstark]

@wilkinsona Hi
I have checked and this issue is present in at least one more place.

ResourceHttpRequestHandler.isInvalidEncodedPath(String) line: 607

This is when I try to map a URI to the same path (/test%file) with any http method and request the path /test%25file

[rstoyanchev]

@Sauhardstark, are you actually getting this error? ResourceHttpRequestHandler#isInvalidEncodedPath catches and suppresses IllegalArgumentException so I don't think it's exposed to this problem. There is even a test case.