Fix double-escaping (fixes #354)

author: Sven-Hendrik Haase <svenstaro@gmail.com> 2020-08-24 21:33:46 +0000
committer: Sven-Hendrik Haase <svenstaro@gmail.com> 2020-08-24 23:15:27 +0000
commit: e0fe92687032385c08bd0e4109d3af002a211d1f (patch)
tree: 433bad0a0b3dc8e2afb6975c9bd2c996b37f7161
parent: Give up and just duplicate stuff (diff)
download: miniserve-e0fe92687032385c08bd0e4109d3af002a211d1f.tar.gz
miniserve-e0fe92687032385c08bd0e4109d3af002a211d1f.zip
6 files changed, 13 insertions, 15 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cfb11a4..a0432c0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Remove percent-encoding in heading and title [#362](https://github.com/svenstaro/miniserve/pull/362) (thanks @ahti)
 - Make name ordering case-insensitive [#362](https://github.com/svenstaro/miniserve/pull/362) (thanks @ahti)
 - Give name column more space [#362](https://github.com/svenstaro/miniserve/pull/362) (thanks @ahti)
+- Fix double-escaping [#354](https://github.com/svenstaro/miniserve/issues/354)
 
 ## [0.8.0] - 2020-07-22
 - Accept port 0 to find a random free port and use that [#327](https://github.com/svenstaro/miniserve/pull/327) (thanks @parrotmac)
diff --git a/Cargo.lock b/Cargo.lock
index c85bad0..64097e7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -981,11 +981,6 @@ dependencies = [
 ]
 
 [[package]]
-name = "htmlescape"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-
-[[package]]
 name = "http"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1299,7 +1294,6 @@ dependencies = [
  "failure 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "futures 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "htmlescape 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "libflate 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "log 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)",
  "maud 0.22.0 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -2843,7 +2837,6 @@ dependencies = [
 "checksum hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "644f9158b2f133fd50f5fb3242878846d9eb792e445c893805ff0e3824006e35"
 "checksum hostname 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "3c731c3e10504cc8ed35cfe2f1db4c9274c3d35fa486e3b31df46f068ef3e867"
 "checksum html5ever 0.25.1 (registry+https://github.com/rust-lang/crates.io-index)" = "aafcf38a1a36118242d29b92e1b08ef84e67e4a5ed06e0a80be20e6a32bfed6b"
-"checksum htmlescape 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e9025058dae765dee5070ec375f591e2ba14638c63feff74f13805a72e523163"
 "checksum http 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "28d569972648b2c512421b5f2a405ad6ac9666547189d0c5477a3f200f3e02f9"
 "checksum http-body 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "13d5ff830006f7646652e057693569bfe0d51760c0085a071769d142a205111b"
 "checksum httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "cd179ae861f0c2e53da70d892f5f3029f9594be0c41dc5269cd371691b1dc2f9"
diff --git a/Cargo.toml b/Cargo.toml
index 0d6fd15..4a06d65 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -22,7 +22,6 @@ actix-web = "2.0"
 simplelog = "0.8"
 percent-encoding = "2.1"
 port_check = "0.1"
-htmlescape = "0.3.1"
 bytesize = "1.0.0"
 nanoid = "0.3"
 alphanumeric-sort = "1.4.0"
diff --git a/src/listing.rs b/src/listing.rs
index 0ffa2df..89d4e6c 100644
--- a/src/listing.rs
+++ b/src/listing.rs
@@ -4,7 +4,6 @@ use actix_web::http::StatusCode;
 use actix_web::web::Query;
 use actix_web::{HttpRequest, HttpResponse, Result};
 use bytesize::ByteSize;
-use htmlescape::encode_minimal as escape_html_entity;
 use percent_encoding::{percent_decode_str, utf8_percent_encode, AsciiSet, CONTROLS};
 use qrcodegen::{QrCode, QrCodeEcc};
 use serde::Deserialize;
@@ -209,8 +208,7 @@ pub fn directory_listing(
             };
             // show file url as relative to static path
             let file_url = utf8_percent_encode(&p.to_string_lossy(), FRAGMENT).to_string();
-            // " -- &quot;  & -- &amp;  ' -- &#x27;  < -- &lt;  > -- &gt;
-            let file_name = escape_html_entity(&entry.file_name().to_string_lossy());
+            let file_name = entry.file_name().to_string_lossy().to_string();
 
             // if file is a directory, add '/' to the end of the name
             if let Ok(metadata) = entry.metadata() {
@@ -309,7 +307,7 @@ pub fn directory_listing(
             path = &dir.path.display().to_string()
         );
 
-        let filename = format!(
+        let file_name = format!(
             "{}.{}",
             dir.path.file_name().unwrap().to_str().unwrap(),
             compression_method.extension()
@@ -337,7 +335,7 @@ pub fn directory_listing(
                 .header("Content-Transfer-Encoding", "binary")
                 .header(
                     "Content-Disposition",
-                    format!("attachment; filename={:?}", filename),
+                    format!("attachment; filename={:?}", file_name),
                 )
                 .body(actix_web::body::BodyStream::new(rx)),
         ))
diff --git a/tests/fixtures/mod.rs b/tests/fixtures/mod.rs
index cec912a..49ed7bd 100644
--- a/tests/fixtures/mod.rs
+++ b/tests/fixtures/mod.rs
@@ -8,7 +8,7 @@ pub type Error = Box<dyn std::error::Error>;
 
 /// File names for testing purpose
 #[allow(dead_code)]
-pub static FILES: &[&str] = &["test.txt", "test.html", "test.mkv"];
+pub static FILES: &[&str] = &["test.txt", "test.html", "test.mkv", "test \" \' & < >.csv"];
 
 /// Directory names for testing purpose
 #[allow(dead_code)]
diff --git a/tests/serve_request.rs b/tests/serve_request.rs
index cc0e059..43b16a0 100644
--- a/tests/serve_request.rs
+++ b/tests/serve_request.rs
@@ -45,9 +45,16 @@ fn serves_requests_with_non_default_port(tmpdir: TempDir, port: u16) -> Result<(
     let body = reqwest::blocking::get(format!("http://localhost:{}", port).as_str())?
         .error_for_status()?;
     let parsed = Document::from_read(body)?;
+
     for &file in FILES {
-        assert!(parsed.find(|x: &Node| x.text() == file).next().is_some());
+        let f = parsed.find(|x: &Node| x.text() == file).next().unwrap();
+        dbg!(f.attr("href"));
+        assert_eq!(
+            format!("/{}", file),
+            percent_encoding::percent_decode_str(f.attr("href").unwrap()).decode_utf8_lossy(),
+        );
     }
+
     for &directory in DIRECTORIES {
         assert!(parsed
             .find(|x: &Node| x.text() == directory)
author	Sven-Hendrik Haase <svenstaro@gmail.com>	2020-08-24 21:33:46 +0000
committer	Sven-Hendrik Haase <svenstaro@gmail.com>	2020-08-24 23:15:27 +0000
commit	e0fe92687032385c08bd0e4109d3af002a211d1f (patch)
tree	433bad0a0b3dc8e2afb6975c9bd2c996b37f7161
parent	Give up and just duplicate stuff (diff)
download	miniserve-e0fe92687032385c08bd0e4109d3af002a211d1f.tar.gz miniserve-e0fe92687032385c08bd0e4109d3af002a211d1f.zip