Spring mvc:resources access to outside folder

2020-04-08 13:38发布

问题:

I have stored medias (pictures and movies) in a folder (for example C:\test\tes.png) and I'm trying to access to pictures with an url like : http://localhost:8080/app/picture/test.png. To do that, i have used resources tag (spring 3) as below :

<mvc:resources mapping="/picture/**" location="file:/test" />

When I try to access, I have an error with no more details.

Requested Resource Not Found

I have in logs :

2011-11-07 20:48:55,241 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'Family' processing GET request for [/Family/photos/testImage2.png] 2011-11-07 20:48:55,241 [http-8080-2] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Matching patterns for request [/photos/testImage2.png] are [/**] 2011-11-07 20:48:55,241 [http-8080-2] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - URI Template variables for request [/photos/testImage2.png] are {} 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Mapping [/photos/testImage2.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler@3a779f5e] and 4 interceptors 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/Family/photos/testImage2.png] is: -1 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'Family': assuming HandlerAdapter completed request handling 2011-11-07 20:48:55,242 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet - Successfully completed request

I have certainly not all understand...

Another question : I'm not sure this is the good approach. What are others solutions to access to media on external folder ?

Thanks in advance !

回答1:

First question: "the mapping"

I am not 100% sure, but I would guess, there is a final / missing for the location. change it to:

<mvc:resources mapping="/picture/**" location="file:/test/" />

Another question : I'm not sure this is the good approach. What are others solutions to access to media on external folder ?

In my humble opinion, it is very bad practice to give an web site user full read access to an folder. Attention the access is not only limited to the folder, but the user can also access all sub folders.

*And even if you decided to ignore this warning, then you must test what happen if some use invoke http://localhost:8080/app/picture/../someFile.** I don't know what would happen, but **make 120% sure that nobody can access any file outside the picture Folder! -- I have had a look into the spring implementation, and it seams that spring already handle this issue.*Since Spring 3.2.12, 4.0.8, 4.1.2 the Resource Handler make sure that you an not access an folder outside the specified resource folder. (SPR-12354: Directory traversal with static resource handling (CVE-2014-3625))