From 2cf6b99f408def64d51fad44292dccca7b7b639e Mon Sep 17 00:00:00 2001
From: feiniks <36756310+feiniks@users.noreply.github.com>
Date: Thu, 14 Nov 2024 14:10:02 +0800
Subject: [PATCH] Use QueryEscape to encode url path (#716)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Use QueryEscape to encode url path

* Encode url path

---------

Co-authored-by: 杨赫然 <heran.yang@seafile.com>
---
 fileserver/fileop.go | 2 +-
 server/access-file.c | 2 +-
 server/http-tx-mgr.c | 5 ++++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/fileserver/fileop.go b/fileserver/fileop.go
index 48268d7..8320f77 100644
--- a/fileserver/fileop.go
+++ b/fileserver/fileop.go
@@ -242,7 +242,7 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
 		return &appError{nil, msg, http.StatusBadRequest}
 	}
 	// filePath will be unquote by mux, we need to escape filePath before calling check file access.
-	escPath := url.PathEscape(filePath)
+	escPath := url.QueryEscape(filePath)
 	rpath := getCanonPath(filePath)
 	fileName := filepath.Base(rpath)
 
diff --git a/server/access-file.c b/server/access-file.c
index b76f4cc..0672add 100644
--- a/server/access-file.c
+++ b/server/access-file.c
@@ -1537,7 +1537,7 @@ access_v2_cb(evhtp_request_t *req, void *arg)
         error_str = "Both token and cookie are not set\n";
         goto out;
     }
-    if (http_tx_manager_check_file_access (repo_id, token, cookie, path, "download", &user) < 0) {
+    if (http_tx_manager_check_file_access (repo_id, token, cookie, dec_path, "download", &user) < 0) {
         error_str = "No permission to access file\n";
         error_code = EVHTP_RES_FORBIDDEN;
         goto out;
diff --git a/server/http-tx-mgr.c b/server/http-tx-mgr.c
index de580a5..73a6021 100644
--- a/server/http-tx-mgr.c
+++ b/server/http-tx-mgr.c
@@ -700,6 +700,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
     char *jwt_token = NULL;
     char *rsp_content = NULL;
     gint64 rsp_size;
+    char *esc_path = NULL;
     char *url = NULL;
 
     jwt_token = gen_jwt_token ();
@@ -733,7 +734,8 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
         g_free (cookie_header);
     }
 
-    url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, path);
+    esc_path = g_uri_escape_string(path, NULL, FALSE);
+    url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, esc_path);
     ret = http_post_common (curl, url, &headers, jwt_token, req_content, strlen(req_content),
                             &rsp_status, &rsp_content, &rsp_size, TRUE, 1);
     if (ret < 0) {
@@ -755,6 +757,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
 out:
     if (content)
         json_decref (content);
+    g_free (esc_path);
     g_free (url);
     g_free (jwt_token);
     g_free (req_content);