diff options
| author | Yarden Shoham <hrsi88@gmail.com> | 2023-02-12 11:39:52 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-12 09:39:52 +0000 |
| commit | 43d1183f67783ff5d5a7ebecaf22da36e57dbb8e (patch) | |
| tree | a80af38cdd5428413af1e80e8dd5ae2d83c947b6 /services | |
| parent | 8fa419c4c1e34e4f26adf9323d4886bbb558df25 (diff) | |
| download | gitea-43d1183f67783ff5d5a7ebecaf22da36e57dbb8e.tar.gz gitea-43d1183f67783ff5d5a7ebecaf22da36e57dbb8e.zip | |
escape filename when assemble URL (#22850) (#22871)
Backport #22850
Fixes: #22843
### Cause:
https://github.com/go-gitea/gitea/blob/affdd40296960a08a4223330ccbd1fb88c96ea1a/services/repository/files/content.go#L161
Previously, we did not escape the **"%"** that might be in "treePath"
when call "url.parse()".
This function will check whether "%" is the beginning of an escape
character. Obviously, the "%" in the example (hello%mother.txt) is not
that. So, the function will return a error.
### Solution:
We can escape "treePath" by call "url.PathEscape()" function firstly.
### Screenshot:
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Co-authored-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'services')
| -rw-r--r-- | services/repository/files/content.go | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/services/repository/files/content.go b/services/repository/files/content.go index 34c8aeec25..91e002188e 100644 --- a/services/repository/files/content.go +++ b/services/repository/files/content.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/util" ) // ContentType repo content type @@ -159,7 +160,7 @@ func GetContents(ctx context.Context, repo *repo_model.Repository, treePath, ref return nil, fmt.Errorf("no commit found for the ref [ref: %s]", ref) } - selfURL, err := url.Parse(fmt.Sprintf("%s/contents/%s?ref=%s", repo.APIURL(), treePath, origRef)) + selfURL, err := url.Parse(repo.APIURL() + "/contents/" + util.PathEscapeSegments(treePath) + "?ref=" + url.QueryEscape(origRef)) if err != nil { return nil, err } @@ -218,7 +219,7 @@ func GetContents(ctx context.Context, repo *repo_model.Repository, treePath, ref } // Handle links if entry.IsRegular() || entry.IsLink() { - downloadURL, err := url.Parse(fmt.Sprintf("%s/raw/%s/%s/%s", repo.HTMLURL(), refType, ref, treePath)) + downloadURL, err := url.Parse(repo.HTMLURL() + "/raw/" + url.PathEscape(string(refType)) + "/" + util.PathEscapeSegments(ref) + "/" + util.PathEscapeSegments(treePath)) if err != nil { return nil, err } @@ -226,7 +227,7 @@ func GetContents(ctx context.Context, repo *repo_model.Repository, treePath, ref contentsResponse.DownloadURL = &downloadURLString } if !entry.IsSubModule() { - htmlURL, err := url.Parse(fmt.Sprintf("%s/src/%s/%s/%s", repo.HTMLURL(), refType, ref, treePath)) + htmlURL, err := url.Parse(repo.HTMLURL() + "/src/" + url.PathEscape(string(refType)) + "/" + util.PathEscapeSegments(ref) + "/" + util.PathEscapeSegments(treePath)) if err != nil { return nil, err } @@ -234,7 +235,7 @@ func GetContents(ctx context.Context, repo *repo_model.Repository, treePath, ref contentsResponse.HTMLURL = &htmlURLString contentsResponse.Links.HTMLURL = &htmlURLString - gitURL, err := url.Parse(fmt.Sprintf("%s/git/blobs/%s", repo.APIURL(), entry.ID.String())) + gitURL, err := url.Parse(repo.APIURL() + "/git/blobs/" + url.PathEscape(entry.ID.String())) if err != nil { return nil, err } |