haiwen/seafile-server
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-server.git synced 2025-08-25 10:08:33 +00:00
Code Issues Releases Wiki Activity

Use QueryEscape to encode url path (#716)

Browse Source 
* Use QueryEscape to encode url path

* Encode url path

---------

Co-authored-by: 杨赫然 <heran.yang@seafile.com>
This commit is contained in:
feiniks 2024-11-14 14:10:02 +08:00 committed by GitHub
parent b1e7323647
commit 2cf6b99f40
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fileserver/fileop.go
View File

@ -242,7 +242,7 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
return &appError{nil, msg, http.StatusBadRequest} return &appError{nil, msg, http.StatusBadRequest}
} }
// filePath will be unquote by mux, we need to escape filePath before calling check file access. // filePath will be unquote by mux, we need to escape filePath before calling check file access.
escPath := url.PathEscape(filePath) escPath := url.QueryEscape(filePath)
rpath := getCanonPath(filePath) rpath := getCanonPath(filePath)
fileName := filepath.Base(rpath) fileName := filepath.Base(rpath)

2
server/access-file.c
View File

@ -1537,7 +1537,7 @@ access_v2_cb(evhtp_request_t *req, void *arg)
error_str = "Both token and cookie are not set\n"; error_str = "Both token and cookie are not set\n";
goto out; goto out;
} }
if (http_tx_manager_check_file_access (repo_id, token, cookie, path, "download", &user) < 0) { if (http_tx_manager_check_file_access (repo_id, token, cookie, dec_path, "download", &user) < 0) {
error_str = "No permission to access file\n"; error_str = "No permission to access file\n";
error_code = EVHTP_RES_FORBIDDEN; error_code = EVHTP_RES_FORBIDDEN;
goto out; goto out;

5
server/http-tx-mgr.c
View File

@ -700,6 +700,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
char *jwt_token = NULL; char *jwt_token = NULL;
char *rsp_content = NULL; char *rsp_content = NULL;
gint64 rsp_size; gint64 rsp_size;
char *esc_path = NULL;
char *url = NULL; char *url = NULL;
jwt_token = gen_jwt_token (); jwt_token = gen_jwt_token ();
@ -733,7 +734,8 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
g_free (cookie_header); g_free (cookie_header);
} }
url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, path); esc_path = g_uri_escape_string(path, NULL, FALSE);
url = g_strdup_printf("%s/repos/%s/check-access/?path=%s", seaf->seahub_url, repo_id, esc_path);
ret = http_post_common (curl, url, &headers, jwt_token, req_content, strlen(req_content), ret = http_post_common (curl, url, &headers, jwt_token, req_content, strlen(req_content),
&rsp_status, &rsp_content, &rsp_size, TRUE, 1); &rsp_status, &rsp_content, &rsp_size, TRUE, 1);
if (ret < 0) { if (ret < 0) {
@ -755,6 +757,7 @@ http_tx_manager_check_file_access (const char *repo_id, const char *token, const
out: out:
if (content) if (content)
json_decref (content); json_decref (content);
g_free (esc_path);
g_free (url); g_free (url);
g_free (jwt_token); g_free (jwt_token);
g_free (req_content); g_free (req_content);