Use QueryEscape to encode url path (#716)

* Use QueryEscape to encode url path * Encode url path --------- Co-authored-by: 杨赫然 <[email protected]>
haiwen · Nov 14, 2024 · 2cf6b99 · 2cf6b99
1 parent b1e7323
commit 2cf6b99
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/fileserver/fileop.go b/fileserver/fileop.go
@@ -242,7 +242,7 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
 		return &appError{nil, msg, http.StatusBadRequest}
 	}
 	// filePath will be unquote by mux, we need to escape filePath before calling check file access.
-	escPath := url.PathEscape(filePath)
+	escPath := url.QueryEscape(filePath)
 	rpath := getCanonPath(filePath)
 	fileName := filepath.Base(rpath)
 

diff --git a/server/access-file.c b/server/access-file.c
@@ -1537,7 +1537,7 @@ access_v2_cb(evhtp_request_t *req, void *arg)
         error_str = "Both token and cookie are not set\n";
         goto out;
     }
-    if (http_tx_manager_check_file_access (repo_id, token, cookie, path, "download", &user) < 0) {
+    if (http_tx_manager_check_file_access (repo_id, token, cookie, dec_path, "download", &user) < 0) {
         error_str = "No permission to access file\n";
         error_code = EVHTP_RES_FORBIDDEN;
         goto out;

diff --git a/server/http-tx-mgr.c b/server/http-tx-mgr.c
@@ -700,6 +700,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
     char *jwt_token = NULL;
     char *rsp_content = NULL;
     gint64 rsp_size;
+    char *esc_path = NULL;
     char *url = NULL;
 
     jwt_token = gen_jwt_token ();
@@ -733,7 +734,8 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
         g_free (cookie_header);
     }
 
-    url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, path);
+    esc_path = g_uri_escape_string(path, NULL, FALSE);
+    url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, esc_path);
     ret = http_post_common (curl, url, &headers, jwt_token, req_content, strlen(req_content),
                             &rsp_status, &rsp_content, &rsp_size, TRUE, 1);
     if (ret < 0) {
@@ -755,6 +757,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
 out:
     if (content)
         json_decref (content);
+    g_free (esc_path);
     g_free (url);
     g_free (jwt_token);
     g_free (req_content);