From dd6ca41fcaa1f67875dbe3e9c6a047813075e391 Mon Sep 17 00:00:00 2001 From: Ali MJ Al-Nasrawy Date: Tue, 6 Apr 2021 20:15:04 +0300 Subject: Fix percent encoding for URL Use proper percent-encoding charset for each context. --- src/listing.rs | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/listing.rs b/src/listing.rs index 66aea6b..2a62fd6 100644 --- a/src/listing.rs +++ b/src/listing.rs @@ -4,7 +4,7 @@ use actix_web::http::StatusCode; use actix_web::web::Query; use actix_web::{HttpRequest, HttpResponse, Result}; use bytesize::ByteSize; -use percent_encoding::{percent_decode_str, utf8_percent_encode, AsciiSet, CONTROLS}; +use percent_encoding::{percent_decode_str, utf8_percent_encode}; use qrcodegen::{QrCode, QrCodeEcc}; use serde::Deserialize; use std::io; @@ -15,8 +15,17 @@ use strum_macros::{Display, EnumString}; use crate::archive::CompressionMethod; use crate::errors::{self, ContextualError}; use crate::renderer; - -const FRAGMENT: &AsciiSet = &CONTROLS.add(b' ').add(b'"').add(b'<').add(b'>').add(b'`'); +use percent_encode_sets::{PATH, PATH_SEGMENT}; + +/// "percent-encode sets" as defined by WHATWG specs: +/// https://url.spec.whatwg.org/#percent-encoded-bytes +mod percent_encode_sets { + use percent_encoding::{AsciiSet, CONTROLS}; + const BASE: &AsciiSet = &CONTROLS.add(b'%'); + pub const QUERY: &AsciiSet = &BASE.add(b' ').add(b'"').add(b'#').add(b'<').add(b'>'); + pub const PATH: &AsciiSet = &QUERY.add(b'?').add(b'`').add(b'{').add(b'}'); + pub const PATH_SEGMENT: &AsciiSet = &PATH.add(b'/'); +} /// Query parameters #[derive(Deserialize)] @@ -213,7 +222,7 @@ pub fn directory_listing( Component::Normal(s) => { name = s.to_string_lossy().to_string(); link_accumulator - .push_str(&(utf8_percent_encode(&name, FRAGMENT).to_string() + "/")); + .push_str(&(utf8_percent_encode(&name, PATH_SEGMENT).to_string() + "/")); } _ => name = "".to_string(), }; @@ -256,7 +265,7 @@ pub fn directory_listing( Err(_) => continue, }; // show file url as relative to static path - let file_url = utf8_percent_encode(&p.to_string_lossy(), FRAGMENT).to_string(); + let file_url = utf8_percent_encode(&p.to_string_lossy(), PATH).to_string(); let file_name = entry.file_name().to_string_lossy().to_string(); // if file is a directory, add '/' to the end of the name -- cgit v1.2.3 From 1beb4c992393b774b11cc3bad444c104dd263562 Mon Sep 17 00:00:00 2001 From: Ali MJ Al-Nasrawy Date: Thu, 8 Apr 2021 09:45:37 +0300 Subject: Avoid double-encoding file URL Now that the '%' char itself is accepted in the file name and is encoded into '%25', this exposed a previously silent bug: `base` is already percent-encoded but it is encoded again when setting `file_url`. This produces erroneous URLs such as: '/%2523/x.y' instead of '/%23/x.y' for the path '/#/x.y' --- src/listing.rs | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/listing.rs b/src/listing.rs index 2a62fd6..8c01b4b 100644 --- a/src/listing.rs +++ b/src/listing.rs @@ -15,7 +15,7 @@ use strum_macros::{Display, EnumString}; use crate::archive::CompressionMethod; use crate::errors::{self, ContextualError}; use crate::renderer; -use percent_encode_sets::{PATH, PATH_SEGMENT}; +use percent_encode_sets::PATH_SEGMENT; /// "percent-encode sets" as defined by WHATWG specs: /// https://url.spec.whatwg.org/#percent-encoded-bytes @@ -260,13 +260,12 @@ pub fn directory_listing( for entry in dir.path.read_dir()? { if dir.is_visible(&entry) || show_hidden { let entry = entry?; - let p = match entry.path().strip_prefix(&dir.path) { - Ok(p) => base.join(p), - Err(_) => continue, - }; // show file url as relative to static path - let file_url = utf8_percent_encode(&p.to_string_lossy(), PATH).to_string(); let file_name = entry.file_name().to_string_lossy().to_string(); + let file_url = base + .join(&utf8_percent_encode(&file_name, PATH_SEGMENT).to_string()) + .to_string_lossy() + .to_string(); // if file is a directory, add '/' to the end of the name if let Ok(metadata) = entry.metadata() { -- cgit v1.2.3