Reinstate removal of jsessionid from lookup path

rstoyanchev · rstoyanchev · commit eb11c6fa2330 · 2020-10-07T11:31:52.000+01:00
Closes gh-25864
diff --git a/spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java b/spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java
@@ -556,7 +556,8 @@ protected String determineEncoding(HttpServletRequest request) {
 	 * @return the updated URI string
 	 */
 	public String removeSemicolonContent(String requestUri) {
-		return (this.removeSemicolonContent ? removeSemicolonContentInternal(requestUri) : requestUri);
+		return (this.removeSemicolonContent ?
+				removeSemicolonContentInternal(requestUri) : removeJsessionid(requestUri));
 	}
 
 	private String removeSemicolonContentInternal(String requestUri) {
@@ -570,6 +571,22 @@ private String removeSemicolonContentInternal(String requestUri) {
 		return requestUri;
 	}
 
+	private String removeJsessionid(String requestUri) {
+		String key = ";jsessionid=";
+		int index = requestUri.toLowerCase().indexOf(key);
+		if (index == -1) {
+			return requestUri;
+		}
+		String start = requestUri.substring(0, index);
+		for (int i = key.length(); i < requestUri.length(); i++) {
+			char c = requestUri.charAt(i);
+			if (c == ';' || c == '/') {
+				return start + requestUri.substring(i);
+			}
+		}
+		return start;
+	}
+
 	/**
 	 * Decode the given URI path variables via {@link #decodeRequestString} unless
 	 * {@link #setUrlDecode} is set to {@code true} in which case it is assumed
@@ -675,7 +692,13 @@ private boolean shouldRemoveTrailingServletPathSlash(HttpServletRequest request)
 	 * <li>{@code defaultEncoding=}{@link WebUtils#DEFAULT_CHARACTER_ENCODING}
 	 * </ul>
 	 */
-	public static final UrlPathHelper rawPathInstance = new UrlPathHelper();
+	public static final UrlPathHelper rawPathInstance = new UrlPathHelper() {
+
+		@Override
+		public String removeSemicolonContent(String requestUri) {
+			return requestUri;
+		}
+	};
 
 	static {
 		rawPathInstance.setAlwaysUseFullPath(true);
diff --git a/spring-web/src/test/java/org/springframework/web/util/UrlPathHelperTests.java b/spring-web/src/test/java/org/springframework/web/util/UrlPathHelperTests.java
@@ -133,7 +133,7 @@ public void getRequestKeepSemicolonContent() {
 		assertThat(helper.getRequestUri(request)).isEqualTo("/foo;a=b;c=d");
 
 		request.setRequestURI("/foo;jsessionid=c0o7fszeb1");
-		assertThat(helper.getRequestUri(request)).isEqualTo("/foo;jsessionid=c0o7fszeb1");
+		assertThat(helper.getRequestUri(request)).isEqualTo("/foo");
 	}
 
 	@Test
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestResponseBodyMethodProcessorTests.java
@@ -389,6 +389,7 @@ public void addContentDispositionHeader() throws Exception {
 		assertContentDisposition(processor, true, "/hello.json;a=b;setup.dataless", "unknown ext in path params");
 		assertContentDisposition(processor, true, "/hello.dataless;a=b;setup.json", "unknown ext in filename");
 		assertContentDisposition(processor, false, "/hello.json;a=b;setup.json", "safe extensions");
+		assertContentDisposition(processor, true, "/hello.json;jsessionid=foo.bar", "jsessionid shouldn't cause issue");
 
 		// encoded dot
 		assertContentDisposition(processor, true, "/hello%2Edataless;a=b;setup.json", "encoded dot in filename");
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/UriTemplateServletAnnotationControllerHandlerMethodTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/UriTemplateServletAnnotationControllerHandlerMethodTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -69,6 +69,28 @@ public void simple() throws Exception {
 		assertThat(response.getContentAsString()).isEqualTo("test-42-7");
 	}
 
+	@Test // gh-25864
+	public void literalMappingWithPathParams() throws Exception {
+		initServletWithControllers(MultipleUriTemplateController.class);
+
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/data");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		getServlet().service(request, response);
+		assertThat(response.getStatus()).isEqualTo(200);
+		assertThat(response.getContentAsString()).isEqualTo("test");
+
+		request = new MockHttpServletRequest("GET", "/data;foo=bar");
+		response = new MockHttpServletResponse();
+		getServlet().service(request, response);
+		assertThat(response.getStatus()).isEqualTo(404);
+
+		request = new MockHttpServletRequest("GET", "/data;jsessionid=123");
+		response = new MockHttpServletResponse();
+		getServlet().service(request, response);
+		assertThat(response.getStatus()).isEqualTo(200);
+		assertThat(response.getContentAsString()).isEqualTo("test");
+	}
+
 	@Test
 	public void multiple() throws Exception {
 		initServletWithControllers(MultipleUriTemplateController.class);
@@ -388,6 +410,10 @@ public void handle(@PathVariable("hotel") String hotel,
 			writer.write("test-" + hotel + "-q" + qHotel + "-" + booking + "-" + other + "-q" + qOther);
 		}
 
+		@RequestMapping("/data")
+		void handleWithLiteralMapping(Writer writer) throws IOException {
+			writer.write("test");
+		}
 	}
 
 	@Controller

Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,7 @@ public void getRequestKeepSemicolonContent() {`
`133`	`133`	`assertThat(helper.getRequestUri(request)).isEqualTo("/foo;a=b;c=d");`
`134`	`134`
`135`	`135`	`request.setRequestURI("/foo;jsessionid=c0o7fszeb1");`
`136`		`- assertThat(helper.getRequestUri(request)).isEqualTo("/foo;jsessionid=c0o7fszeb1");`
	`136`	`+ assertThat(helper.getRequestUri(request)).isEqualTo("/foo");`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`@Test`