diff options
| author | zeripath <art27@cantab.net> | 2022-03-22 21:02:26 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-22 17:02:26 -0400 |
| commit | 3f71ab9a12f12a021c3f7b9d8cf89c4fe45bf3e4 (patch) | |
| tree | 734c7830b58d66516c2f9229134ca08ea19c81d5 /routers | |
| parent | d2c165811a1bad081b2e99ca580e3bdbb18171f0 (diff) | |
| download | gitea-3f71ab9a12f12a021c3f7b9d8cf89c4fe45bf3e4.tar.gz gitea-3f71ab9a12f12a021c3f7b9d8cf89c4fe45bf3e4.zip | |
Clean paths when looking in Storage (#19124)
* Clean paths when looking in Storage
Ensure paths are clean for minio aswell as local storage.
Use url.Path not RequestURI/EscapedPath in storageHandler.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Apply suggestions from code review
Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/web/base.go | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/routers/web/base.go b/routers/web/base.go index f7eb003cc4..3e873c5826 100644 --- a/routers/web/base.go +++ b/routers/web/base.go @@ -11,7 +11,6 @@ import ( "net/http" "os" "path" - "path/filepath" "strings" "code.gitea.io/gitea/modules/context" @@ -28,6 +27,7 @@ import ( ) func storageHandler(storageSetting setting.Storage, prefix string, objStore storage.ObjectStorage) func(next http.Handler) http.Handler { + prefix = strings.Trim(prefix, "/") funcInfo := routing.GetFuncInfo(storageHandler, prefix) return func(next http.Handler) http.Handler { if storageSetting.ServeDirect { @@ -37,13 +37,15 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor return } - if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) { + if !strings.HasPrefix(req.URL.Path, "/"+prefix+"/") { next.ServeHTTP(w, req) return } routing.UpdateFuncInfo(req.Context(), funcInfo) - rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix) + rPath := strings.TrimPrefix(req.URL.Path, "/"+prefix+"/") + rPath = path.Clean("/" + strings.ReplaceAll(rPath, "\\", "/"))[1:] + u, err := objStore.URL(rPath, path.Base(rPath)) if err != nil { if os.IsNotExist(err) || errors.Is(err, os.ErrNotExist) { @@ -55,11 +57,12 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor http.Error(w, fmt.Sprintf("Error whilst getting URL for %s %s", prefix, rPath), 500) return } + http.Redirect( w, req, u.String(), - 301, + http.StatusMovedPermanently, ) }) } @@ -70,22 +73,18 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor return } - prefix := strings.Trim(prefix, "/") - - if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") { + if !strings.HasPrefix(req.URL.Path, "/"+prefix+"/") { next.ServeHTTP(w, req) return } routing.UpdateFuncInfo(req.Context(), funcInfo) - rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/") - rPath = strings.TrimPrefix(rPath, "/") + rPath := strings.TrimPrefix(req.URL.Path, "/"+prefix+"/") + rPath = path.Clean("/" + strings.ReplaceAll(rPath, "\\", "/"))[1:] if rPath == "" { http.Error(w, "file not found", 404) return } - rPath = path.Clean("/" + filepath.ToSlash(rPath)) - rPath = rPath[1:] fi, err := objStore.Stat(rPath) if err == nil && httpcache.HandleTimeCache(req, w, fi) { |