Spring InternalResourceView needs to implement checkResource method [SPR-7727]

Alex Portnov opened SPR-7727 and commented

InternalResourceView doesn't override checkResource method from AbstractUrlBasedView, which always returns true. This in turn causes InternalResourceViewResolver to return a View object even when corresponding JSP page doesn't exists.

I have the following configuration:

<bean id="statisticsView" class="org.springframework.web.servlet.view.xml.MarshallingView">
    <constructor-arg ref="jaxbMarshaller" />
    <property name="modelKey" value="statistics" />
</bean>

<!-- Resolves view names to protected .jsp resources within the /WEB-INF/views directory -->
<bean
    class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
    <property name="mediaTypes">
        <map>
            <entry key="js" value="text/javascript" />
            <entry key="html" value="text/html" />
            <entry key="xml" value="application/xml"/>
        </map>
    </property>
    <property name="viewResolvers">
    <list>
    <bean class="org.springframework.web.servlet.view.BeanNameViewResolver" />
            <bean 
                class="org.springframework.web.servlet.view.InternalResourceViewResolver">
                <property name="prefix" value="/WEB-INF/views/" />
                <property name="suffix" value=".jsp" />
            </bean>
    </list>
    </property>
    <property name="useNotAcceptableStatusCode" value="true" />
</bean>

When making request for statisticsView in the browser, which sends the following Accept header:

'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'

After the header is parsed by resolver text/html is the first media-type being looked for. Since InternalResourceViewResolver always return a view, even where jsp doesn't actually exists, I always get an error instead of getting XML representation, generated by the MarshallingView.

---

Affects: 3.0 GA

7 votes, 4 watchers

Comment From: spring-projects-issues

Ainthe Kitchen commented

Also: InternalResourceViewResolver DOES NOT perform any checks on viewName thus "escaping outside of specified prefix" is possible: @RequestMapping(value = "/secret") public String testSecret() { //String viewName="../spring/root-context.xml?"; String viewName="../secret"; logger.info(viewName); return viewName; }

This could bring security issues if developer uses dynamic and unvalidated viewNames build possibly from request parts.

IMHO this task of checking if resulting URI (prefix+viewName+sufix) is subordinate of prefix URI should be responisbility of this "convenience ViewResolver."

Comment From: spring-projects-issues

Sime Essert commented

Fixing this issue would be great because some other Framework modules are having trouble because of it: https://jira.springsource.org/browse/MOBILE-76

Comment From: bclozel

I think this is done on purpose. We cannot check for the existence of those JSP files, as typically the /WEB-INF/jsp/ folder is not accessible from the classpath. The only remaining option is to dispatch the request in the container, which is not an idempotent operation. I'm closing this issue as a result.