From 4263edc9c9bbff17c7beb5495d6e7b4b4f8683ef Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 5 Mar 2019 18:09:23 +0300 Subject: [PATCH 1/2] Properly escape reserved URI charachters in upload urls --- lib/pleroma/upload.ex | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/pleroma/upload.ex b/lib/pleroma/upload.ex index 91a5db8c5..1a97e9fde 100644 --- a/lib/pleroma/upload.ex +++ b/lib/pleroma/upload.ex @@ -85,6 +85,10 @@ def store(upload, opts \\ []) do end end + def char_unescaped?(char) do + URI.char_unreserved?(char) or char == ?/ + end + defp get_opts(opts) do {size_limit, activity_type} = case Keyword.get(opts, :type) do @@ -218,9 +222,7 @@ defp tempfile_for_image(data) do defp url_from_spec(base_url, {:file, path}) do path = path - |> URI.encode() - |> String.replace("?", "%3F") - |> String.replace(":", "%3A") + |> URI.encode(&char_unescaped?/1) [base_url, "media", path] |> Path.join() From 40ff8f5964ad2ef5f5a79c7508769fd69a5dbb68 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 5 Mar 2019 19:28:58 +0300 Subject: [PATCH 2/2] Add tests for reserved char escaping in upload --- test/upload_test.exs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test/upload_test.exs b/test/upload_test.exs index b2d9eca38..bdda01b3f 100644 --- a/test/upload_test.exs +++ b/test/upload_test.exs @@ -153,19 +153,20 @@ test "escapes invalid characters in url" do assert Path.basename(attachment_url["href"]) == "an%E2%80%A6%20image.jpg" end - test "replaces : (colon) and ? (question-mark) to %3A and %3F (respectively)" do + test "escapes reserved uri characters" do File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") file = %Plug.Upload{ content_type: "image/jpg", path: Path.absname("test/fixtures/image_tmp.jpg"), - filename: "is:an?image.jpg" + filename: ":?#[]@!$&\\'()*+,;=.jpg" } {:ok, data} = Upload.store(file) [attachment_url | _] = data["url"] - assert Path.basename(attachment_url["href"]) == "is%3Aan%3Fimage.jpg" + assert Path.basename(attachment_url["href"]) == + "%3A%3F%23%5B%5D%40%21%24%26%5C%27%28%29%2A%2B%2C%3B%3D.jpg" end end end