From 42b7584068e51a58d2bfe76729fe039fe7f6a7cf Mon Sep 17 00:00:00 2001 From: Shadowfacts Date: Mon, 14 Jan 2019 11:31:44 -0500 Subject: [PATCH 1/2] URI escape file upload URLs --- lib/pleroma/upload.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/upload.ex b/lib/pleroma/upload.ex index 0b1bdeec4..185ba25fa 100644 --- a/lib/pleroma/upload.ex +++ b/lib/pleroma/upload.ex @@ -215,7 +215,7 @@ defp tempfile_for_image(data) do end defp url_from_spec(base_url, {:file, path}) do - [base_url, "media", path] + [base_url, "media", URI.encode(path)] |> Path.join() end From dcbe5bd58ccb1068d17ba15703169593d4bbb393 Mon Sep 17 00:00:00 2001 From: Shadowfacts Date: Mon, 14 Jan 2019 13:29:38 -0500 Subject: [PATCH 2/2] Add attachment escaping test --- test/upload_test.exs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/test/upload_test.exs b/test/upload_test.exs index d4ea3a573..bda503361 100644 --- a/test/upload_test.exs +++ b/test/upload_test.exs @@ -137,5 +137,20 @@ test "copies the file to the configured folder with anonymizing filename" do refute data["name"] == "an [image.jpg" end + + test "escapes invalid characters in url" do + File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg") + + file = %Plug.Upload{ + content_type: "image/jpg", + path: Path.absname("test/fixtures/image_tmp.jpg"), + filename: "an… image.jpg" + } + + {:ok, data} = Upload.store(file) + [attachment_url | _] = data["url"] + + assert Path.basename(attachment_url["href"]) == "an%E2%80%A6%20image.jpg" + end end end