XWIKI-23898: Improve classpath resolution for Tomcat

(cherry picked from commit a979caf)

Author: tmortagne

xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/main/java/org/xwiki/classloader/internal/ClassLoaderUtils.java

@@ -47,20 +47,30 @@ private static String resolveResourceName(String prefixPath, String resourcePath
             fullPath = resourcePath;
 
             // Prevent access to resources from other directories
-            // TODO: find or implement something closed to Servlet ClassLoader behavior to be as accurate as possible
-            // and be able to reuse the normalized result
-            Path normalizedResource = Paths.get(fullPath).normalize();
+            // TODO: find or implement something closer to Servlet ClassLoader behavior to be as accurate as possible
+            // and be able to reuse the normalized result. Not so easy since the various applications servers can use
+            // different logics.
+
+            // On Tomcat, all leading / have no effect, contrary to Paths#normalize()
+            int index = 0;
+            while (index < fullPath.length() && fullPath.charAt(index) == '/') {
+                ++index;
+            }
+            String normalizedPath = fullPath.substring(index);
+
+            Path normalizedResource = Paths.get(normalizedPath).normalize();
             if (normalizedResource.startsWith("../")) {
                 throw new IllegalArgumentException(String.format(
                     "The provided resource name [%s] is trying to navigate out of the mandatory root location",
-                    resourcePath));
+                    fullPath));
             }
         } else {
             fullPath = prefixPath + resourcePath;
 
             // Prevent access to resources from other directories
             // TODO: find or implement something closed to Servlet ClassLoader behavior to be as accurate as possible
-            // and be able to reuse the normalized result
+            // and be able to reuse the normalized result. Not so easy since the various applications servers can use
+            // different logics.
             Path normalizedResource = Paths.get(fullPath).normalize();
             if (!normalizedResource.startsWith(prefixPath)) {
                 throw new IllegalArgumentException(String.format(

xwiki-commons-core/xwiki-commons-classloader/xwiki-commons-classloader-api/src/test/java/org/xwiki/classloader/internal/ClassLoaderUtilsTest.java

@@ -85,6 +85,8 @@ void getResource()
         assertSame(this.resouceURL, ClassLoaderUtils.getResource(this.classLoader, RESOURCE_NAME_BACK));
 
         assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, ".."));
+        assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "/.."));
+        assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "////.."));
         assertThrows(IllegalArgumentException.class, () -> ClassLoaderUtils.getResource(this.classLoader, "./.."));
         assertThrows(IllegalArgumentException.class,
             () -> ClassLoaderUtils.getResource(this.classLoader, "resource/../.."));
@@ -106,6 +108,10 @@ void getResourceAsStream()
 
         assertThrows(IllegalArgumentException.class,
             () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, ".."));
+        assertThrows(IllegalArgumentException.class,
+            () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "/.."));
+        assertThrows(IllegalArgumentException.class,
+            () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "///.."));
         assertThrows(IllegalArgumentException.class,
             () -> ClassLoaderUtils.getResourceAsStream(this.classLoader, "./.."));
         assertThrows(IllegalArgumentException.class,