Enfoce single version removal in content versioning

bclozel · bclozel · commit 8d51f47357e4 · 2026-04-23T15:08:06.000+02:00
Prior to this commit, content based version strategies would remove all instances of the version string in the request path when trying to resolve the original resource with the chain. This can cause issues in rare cases where there is a collision between the content version and some other version string in the request path. Because this strategy is based on the contents of the file itself, we should only remove the last instance of the version string and then attempt to resolve the original file. Fixes gh-36698
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/AbstractFileNameVersionStrategy.java b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/AbstractFileNameVersionStrategy.java
@@ -55,7 +55,12 @@ public String extractVersion(String requestPath) {
 
 	@Override
 	public String removeVersion(String requestPath, String version) {
-		return StringUtils.delete(requestPath, "-" + version);
+		String versionString = "-" + version;
+		int index = requestPath.lastIndexOf(versionString);
+		if (index != -1) {
+			return requestPath.substring(0, index) + requestPath.substring(index + versionString.length());
+		}
+		return requestPath;
 	}
 
 	@Override
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/VersionResourceResolver.java b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/VersionResourceResolver.java
@@ -179,6 +179,9 @@ private Mono<Resource> resolveVersionedResource(@Nullable ServerWebExchange exch
 		}
 
 		String simplePath = versionStrategy.removeVersion(requestPath, candidate);
+		if (ResourceHandlerUtils.shouldIgnoreInputPath(simplePath)) {
+			return Mono.empty();
+		}
 		return chain.resolveResource(exchange, simplePath, locations)
 				.filterWhen(resource -> versionStrategy.getResourceVersion(resource)
 						.map(actual -> {
diff --git a/spring-webflux/src/test/java/org/springframework/web/reactive/resource/ContentBasedVersionStrategyTests.java b/spring-webflux/src/test/java/org/springframework/web/reactive/resource/ContentBasedVersionStrategyTests.java
@@ -62,6 +62,14 @@ void removeVersion() {
 		assertThat(this.strategy.removeVersion(String.format(path, "-", hash), hash)).isEqualTo(String.format(path, "", ""));
 	}
 
+	@Test
+	void removeVersionOnlyOnce() {
+		String hash = "sha";
+		String path = "font-awesome/css%s%s/font-awesome.min%s%s.css";
+
+		assertThat(this.strategy.removeVersion(String.format(path, "-", hash, "-", hash), hash)).isEqualTo(String.format(path, "-", hash, "", ""));
+	}
+
 	@Test
 	void getResourceVersion() throws Exception {
 		Resource expected = new ClassPathResource("test/bar.css", getClass());
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/AbstractVersionStrategy.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/AbstractVersionStrategy.java
@@ -137,7 +137,12 @@ public String extractVersion(String requestPath) {
 
 		@Override
 		public String removeVersion(String requestPath, String version) {
-			return StringUtils.delete(requestPath, "-" + version);
+			String versionString = "-" + version;
+			int index = requestPath.lastIndexOf(versionString);
+			if (index != -1) {
+				return requestPath.substring(0, index) + requestPath.substring(index + versionString.length());
+			}
+			return requestPath;
 		}
 
 		@Override
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/VersionResourceResolver.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/VersionResourceResolver.java
@@ -177,6 +177,9 @@ protected Resource resolveResourceInternal(@Nullable HttpServletRequest request,
 		}
 
 		String simplePath = versionStrategy.removeVersion(requestPath, candidateVersion);
+		if (ResourceHandlerUtils.shouldIgnoreInputPath(simplePath)) {
+			return null;
+		}
 		Resource baseResource = chain.resolveResource(request, simplePath, locations);
 		if (baseResource == null) {
 			return null;
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ContentBasedVersionStrategyTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/resource/ContentBasedVersionStrategyTests.java
@@ -63,6 +63,14 @@ void removeVersion() {
 		assertThat(this.versionStrategy.removeVersion(String.format(file, "-", hash), hash)).isEqualTo(String.format(file, "", ""));
 	}
 
+	@Test
+	void removeVersionOnlyOnce() {
+		String hash = "sha";
+		String file = "font-awesome/css%s%s/font-awesome.min%s%s.css";
+
+		assertThat(this.versionStrategy.removeVersion(String.format(file, "-", hash, "-", hash), hash)).isEqualTo(String.format(file, "-", hash, "", ""));
+	}
+
 	@Test
 	void getResourceVersion() throws IOException {
 		Resource expected = new ClassPathResource("test/bar.css", getClass());

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,9 @@ private Mono<Resource> resolveVersionedResource(@Nullable ServerWebExchange exch`
`179`	`179`	`}`
`180`	`180`
`181`	`181`	`String simplePath = versionStrategy.removeVersion(requestPath, candidate);`
	`182`	`+ if (ResourceHandlerUtils.shouldIgnoreInputPath(simplePath)) {`
	`183`	`+ return Mono.empty();`
	`184`	`+ }`
`182`	`185`	`return chain.resolveResource(exchange, simplePath, locations)`
`183`	`186`	`.filterWhen(resource -> versionStrategy.getResourceVersion(resource)`
`184`	`187`	`.map(actual -> {`
Original file line number	Diff line number	Diff line change
`@@ -177,6 +177,9 @@ protected Resource resolveResourceInternal(@Nullable HttpServletRequest request,`
`177`	`177`	`}`
`178`	`178`
`179`	`179`	`String simplePath = versionStrategy.removeVersion(requestPath, candidateVersion);`
	`180`	`+ if (ResourceHandlerUtils.shouldIgnoreInputPath(simplePath)) {`
	`181`	`+ return null;`
	`182`	`+ }`
`180`	`183`	`Resource baseResource = chain.resolveResource(request, simplePath, locations);`
`181`	`184`	`if (baseResource == null) {`
`182`	`185`	`return null;`