use different strategy for extra check before serving urls

lhotari · lhotari · commit 5a25f63af1f1 · 2014-10-11T07:52:02.000+03:00
diff --git a/src/groovy/org/grails/plugin/resource/ResourceProcessor.groovy b/src/groovy/org/grails/plugin/resource/ResourceProcessor.groovy
@@ -87,8 +87,6 @@ class ResourceProcessor implements InitializingBean, ServletContextAware {
 
     ServletContext servletContext
     
-    String rootUrlNormalized
-
     boolean processingEnabled
 
     List adHocIncludes
@@ -97,7 +95,6 @@ class ResourceProcessor implements InitializingBean, ServletContextAware {
     List optionalDispositions
     
     boolean resourceLocatorEnabled
-    boolean serveUnderRootPathOnly
     
     ConcurrentMap<String, Boolean> servingAllowedCache
     ConcurrentMap<String, Boolean> resourceAllowedCache
@@ -140,10 +137,7 @@ class ResourceProcessor implements InitializingBean, ServletContextAware {
 
         optionalDispositions = getConfigParamOrDefault('optional.dispositions', ['inline', 'image'])
 
-        rootUrlNormalized = urlToNormalizedFormat(resolveUriToURL('/'))
-        
         resourceLocatorEnabled = getConfigParamOrDefault('resourceLocatorEnabled', developmentMode)
-        serveUnderRootPathOnly = getConfigParamOrDefault('serveUnderRootPathOnly', (resourceLocatorEnabled==false))
     }
 
     /**
@@ -275,20 +269,25 @@ class ResourceProcessor implements InitializingBean, ServletContextAware {
     }
     
     boolean doIsServingURLAllowed(String uri, URL url) {
-        if(serveUnderRootPathOnly) {
-            String urlAsString = urlToNormalizedFormat(url)
-            if(urlAsString==null || rootUrlNormalized == null || !urlAsString.startsWith(rootUrlNormalized)) {
-                return false
-            }
-            String relativePath = urlAsString.substring(rootUrlNormalized.length()-1)
-            return canProcessLegacyResource(relativePath)
-        } else {
-            return canProcessLegacyResource(uri)
+        String urlAsString = null
+        try {
+            urlAsString = urlToNormalizedFormat(url)
+        } catch (Exception e) {
+            log.warn("uri $uri is invalid. as url $url", e)
+        }
+        
+        if(urlAsString==null) {
+            return false
+        }
+        // only allow urls that end with the uri given as input
+        if(!urlAsString.endsWith(uri)) {
+            return false
         }
+        return canProcessLegacyResource(uri)
     }
     
     static String urlToNormalizedFormat(URL url) {
-        url != null ? url.toURI().normalize().toASCIIString() : null
+        url != null ? url.toURI().normalize() : null
     }
     
     /**
diff --git a/test/unit/org/grails/plugin/resource/ResourceProcessorSpec.groovy b/test/unit/org/grails/plugin/resource/ResourceProcessorSpec.groovy
@@ -29,7 +29,6 @@ class ResourceProcessorSpec extends Specification {
         ]
         resourceProcessor.servletContext = servletContext
         resourceProcessor.afterPropertiesSet()
-        resourceProcessor.rootUrlNormalized = '/'
         request = new MockHttpServletRequest(servletContext)
         request.contextPath = '/'
         response = new MockHttpServletResponse()

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,6 @@ class ResourceProcessorSpec extends Specification {`
`29`	`29`	`]`
`30`	`30`	`resourceProcessor.servletContext = servletContext`
`31`	`31`	`resourceProcessor.afterPropertiesSet()`
`32`		`- resourceProcessor.rootUrlNormalized = '/'`
`33`	`32`	`request = new MockHttpServletRequest(servletContext)`
`34`	`33`	`request.contextPath = '/'`
`35`	`34`	`response = new MockHttpServletResponse()`