Fix ServletContextResource isFile check

drgnchan · bclozel · commit b71e686cbd06 · 2022-09-26T22:20:15.000+02:00
Prior to this commit, `ServletContextResource` could rely on `ServletContext#getRealPath` to check whether a resource exists. This behavior is not enforced on some Servlet containers, as this method is only meant to translate virtual paths to real paths, but not necessarily check for the existence of the file. See https://bz.apache.org/bugzilla/show_bug.cgi?id=55837#c3 for a rationale of this behavior in Tomcat. This commit enforces an additional check, resolving the path as a `File` and checking that is exists and is a file. Closes gh-26707
diff --git a/spring-web/src/main/java/org/springframework/web/context/support/ServletContextResource.java b/spring-web/src/main/java/org/springframework/web/context/support/ServletContextResource.java
@@ -139,10 +139,15 @@ public boolean isFile() {
 				return true;
 			}
 			else {
-				return (this.servletContext.getRealPath(this.path) != null);
+				String realPath = this.servletContext.getRealPath(this.path);
+				if (realPath == null) {
+					return false;
+				}
+				File file = new File(realPath);
+				return (file.exists() && file.isFile());
 			}
 		}
-		catch (MalformedURLException ex) {
+		catch (IOException ex) {
 			return false;
 		}
 	}
diff --git a/spring-web/src/test/java/org/springframework/web/context/support/ResourceTests.java b/spring-web/src/test/java/org/springframework/web/context/support/ResourceTests.java
@@ -36,6 +36,8 @@ public void testServletContextResource() throws IOException {
 		MockServletContext sc = new MockServletContext();
 		Resource resource = new ServletContextResource(sc, "org/springframework/core/io/Resource.class");
 		doTestResource(resource);
+		Resource resourceNotExists = new ServletContextResource(sc, "org/springframework/core/io/ResourceNotExists.class");
+		doTestNotExistsResource(resourceNotExists);
 		assertThat(new ServletContextResource(sc, "org/springframework/core/../core/io/./Resource.class")).isEqualTo(resource);
 	}
 
@@ -48,6 +50,9 @@ public void testServletContextResourceWithRelativePath() throws IOException {
 	}
 
 	private void doTestResource(Resource resource) throws IOException {
+		assertThat(resource.getFile()).isNotNull();
+		assertThat(resource.exists()).isTrue();
+		assertThat(resource.isFile()).isTrue();
 		assertThat(resource.getFilename()).isEqualTo("Resource.class");
 		assertThat(resource.getURL().getFile().endsWith("Resource.class")).isTrue();
 
@@ -61,4 +66,9 @@ private void doTestResource(Resource resource) throws IOException {
 		assertThat(relative2.getURL().getFile().endsWith("ResourcePatternResolver.class")).isTrue();
 		assertThat(relative2.exists()).isTrue();
 	}
+
+	private void doTestNotExistsResource(Resource resource) throws IOException {
+		assertThat(resource.exists()).isFalse();
+		assertThat(resource.isFile()).isFalse();
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -139,10 +139,15 @@ public boolean isFile() {`
`139`	`139`	`return true;`
`140`	`140`	`}`
`141`	`141`	`else {`
`142`		`- return (this.servletContext.getRealPath(this.path) != null);`
	`142`	`+ String realPath = this.servletContext.getRealPath(this.path);`
	`143`	`+ if (realPath == null) {`
	`144`	`+ return false;`
	`145`	`+ }`
	`146`	`+ File file = new File(realPath);`
	`147`	`+ return (file.exists() && file.isFile());`
`143`	`148`	`}`
`144`	`149`	`}`
`145`		`- catch (MalformedURLException ex) {`
	`150`	`+ catch (IOException ex) {`
`146`	`151`	`return false;`
`147`	`152`	`}`
`148`	`153`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ public void testServletContextResource() throws IOException {`
`36`	`36`	`MockServletContext sc = new MockServletContext();`
`37`	`37`	`Resource resource = new ServletContextResource(sc, "org/springframework/core/io/Resource.class");`
`38`	`38`	`doTestResource(resource);`
	`39`	`+ Resource resourceNotExists = new ServletContextResource(sc, "org/springframework/core/io/ResourceNotExists.class");`
	`40`	`+ doTestNotExistsResource(resourceNotExists);`
`39`	`41`	`assertThat(new ServletContextResource(sc, "org/springframework/core/../core/io/./Resource.class")).isEqualTo(resource);`
`40`	`42`	`}`
`41`	`43`
`@@ -48,6 +50,9 @@ public void testServletContextResourceWithRelativePath() throws IOException {`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`private void doTestResource(Resource resource) throws IOException {`
	`53`	`+ assertThat(resource.getFile()).isNotNull();`
	`54`	`+ assertThat(resource.exists()).isTrue();`
	`55`	`+ assertThat(resource.isFile()).isTrue();`
`51`	`56`	`assertThat(resource.getFilename()).isEqualTo("Resource.class");`
`52`	`57`	`assertThat(resource.getURL().getFile().endsWith("Resource.class")).isTrue();`
`53`	`58`
`@@ -61,4 +66,9 @@ private void doTestResource(Resource resource) throws IOException {`
`61`	`66`	`assertThat(relative2.getURL().getFile().endsWith("ResourcePatternResolver.class")).isTrue();`
`62`	`67`	`assertThat(relative2.exists()).isTrue();`
`63`	`68`	`}`
	`69`	`+`
	`70`	`+ private void doTestNotExistsResource(Resource resource) throws IOException {`
	`71`	`+ assertThat(resource.exists()).isFalse();`
	`72`	`+ assertThat(resource.isFile()).isFalse();`
	`73`	`+ }`
`64`	`74`	`}`