Skip to content

Commit

Permalink
Escape filePath before calling check file access (#703)
Browse files Browse the repository at this point in the history
Co-authored-by: 杨赫然 <[email protected]>
  • Loading branch information
feiniks and 杨赫然 authored Sep 20, 2024
1 parent 6649fad commit 4adceee
Showing 1 changed file with 4 additions and 7 deletions.
11 changes: 4 additions & 7 deletions fileserver/fileop.go
Original file line number Diff line number Diff line change
Expand Up @@ -241,12 +241,9 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
msg := "No file path\n"
return &appError{nil, msg, http.StatusBadRequest}
}
decPath, err := url.PathUnescape(filePath)
if err != nil {
msg := fmt.Sprintf("File path %s can't be decoded\n", filePath)
return &appError{nil, msg, http.StatusBadRequest}
}
rpath := getCanonPath(decPath)
// filePath will be unquote by mux, we need to escape filePath before calling check file access.
escPath := url.PathEscape(filePath)
rpath := getCanonPath(filePath)
fileName := filepath.Base(rpath)

op := r.URL.Query().Get("op")
Expand All @@ -263,7 +260,7 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
return &appError{nil, msg, http.StatusBadRequest}
}

user, appErr := checkFileAccess(repoID, token, cookie, filePath, "download")
user, appErr := checkFileAccess(repoID, token, cookie, escPath, "download")
if appErr != nil {
return appErr
}
Expand Down

0 comments on commit 4adceee

Please sign in to comment.