Encode url path

haiwen · Nov 13, 2024 · e5543a2 · e5543a2
1 parent 9e6eb6e
commit e5543a2
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/server/access-file.c b/server/access-file.c
@@ -1537,7 +1537,7 @@ access_v2_cb(evhtp_request_t *req, void *arg)
         error_str = "Both token and cookie are not set\n";
         goto out;
     }
-    if (http_tx_manager_check_file_access (repo_id, token, cookie, path, "download", &user) < 0) {
+    if (http_tx_manager_check_file_access (repo_id, token, cookie, dec_path, "download", &user) < 0) {
         error_str = "No permission to access file\n";
         error_code = EVHTP_RES_FORBIDDEN;
         goto out;

diff --git a/server/http-tx-mgr.c b/server/http-tx-mgr.c
@@ -700,6 +700,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
     char *jwt_token = NULL;
     char *rsp_content = NULL;
     gint64 rsp_size;
+    char *esc_path = NULL;
     char *url = NULL;
 
     jwt_token = gen_jwt_token ();
@@ -733,7 +734,8 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
         g_free (cookie_header);
     }
 
-    url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, path);
+    esc_path = g_uri_escape_string(path, NULL, FALSE);
+    url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, esc_path);
     ret = http_post_common (curl, url, &headers, jwt_token, req_content, strlen(req_content),
                             &rsp_status, &rsp_content, &rsp_size, TRUE, 1);
     if (ret < 0) {
@@ -755,6 +757,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
 out:
     if (content)
         json_decref (content);
+    g_free (esc_path);
     g_free (url);
     g_free (jwt_token);
     g_free (req_content);