haiwen/seafile-server
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-server.git synced 2025-04-27 19:15:07 +00:00
Code Issues Releases Wiki Activity

Escape filePath before calling check file access (#703)

Browse Source 
Co-authored-by: 杨赫然 <heran.yang@seafile.com>
This commit is contained in:
feiniks 2024-09-20 11:26:41 +08:00 committed by GitHub
parent 6649fada8c
commit 4adceee73d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fileserver/fileop.go
View File

@ -241,12 +241,9 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
msg := "No file path\n"
return &appError{nil, msg, http.StatusBadRequest}
}
decPath, err := url.PathUnescape(filePath)
if err != nil {
msg := fmt.Sprintf("File path %s can't be decoded\n", filePath)
return &appError{nil, msg, http.StatusBadRequest}
}
rpath := getCanonPath(decPath)
// filePath will be unquote by mux, we need to escape filePath before calling check file access.
escPath := url.PathEscape(filePath)
rpath := getCanonPath(filePath)
fileName := filepath.Base(rpath)
op := r.URL.Query().Get("op")
@ -263,7 +260,7 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
return &appError{nil, msg, http.StatusBadRequest}
}
user, appErr := checkFileAccess(repoID, token, cookie, filePath, "download")
user, appErr := checkFileAccess(repoID, token, cookie, escPath, "download")
if appErr != nil {
return appErr
}