From ea07171bef26f338460482df03ef3da774b640f9 Mon Sep 17 00:00:00 2001 From: Dwynr Date: Sun, 10 Nov 2024 21:33:15 +0100 Subject: [PATCH] fix: url encoding/decoding --- package.json | 2 +- src/handlers/copy.ts | 2 +- src/handlers/mkcol.ts | 2 +- src/handlers/move.ts | 2 +- src/handlers/put.ts | 2 +- src/index.ts | 4 ++-- src/responses.ts | 15 ++++++++++++--- 7 files changed, 19 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index 54d3604..758835a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@filen/webdav", - "version": "0.2.56", + "version": "0.2.57", "description": "Filen WebDAV", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/src/handlers/copy.ts b/src/handlers/copy.ts index 35ff23e..64372a4 100644 --- a/src/handlers/copy.ts +++ b/src/handlers/copy.ts @@ -64,7 +64,7 @@ export class Copy { return } - const destination = decodeURI(url.pathname) + const destination = decodeURIComponent(url.pathname) if (destination.startsWith("..") || destination.startsWith("./") || destination.startsWith("../")) { await Responses.forbidden(res) diff --git a/src/handlers/mkcol.ts b/src/handlers/mkcol.ts index a524370..65f6a1e 100644 --- a/src/handlers/mkcol.ts +++ b/src/handlers/mkcol.ts @@ -32,7 +32,7 @@ export class Mkcol { */ public async handle(req: Request, res: Response): Promise { try { - const path = decodeURI(req.url.endsWith("/") ? req.url.slice(0, req.url.length - 1) : req.url) + const path = decodeURIComponent(req.url.endsWith("/") ? req.url.slice(0, req.url.length - 1) : req.url) const sdk = this.server.getSDKForUser(req.username) if (!sdk) { diff --git a/src/handlers/move.ts b/src/handlers/move.ts index 231a060..0827295 100644 --- a/src/handlers/move.ts +++ b/src/handlers/move.ts @@ -64,7 +64,7 @@ export class Move { return } - const destination = decodeURI(url.pathname) + const destination = decodeURIComponent(url.pathname) if (destination.startsWith("..") || destination.startsWith("./") || destination.startsWith("../")) { await Responses.forbidden(res) diff --git a/src/handlers/put.ts b/src/handlers/put.ts index ea7deb0..78f9a56 100644 --- a/src/handlers/put.ts +++ b/src/handlers/put.ts @@ -68,7 +68,7 @@ export class Put { */ public async handle(req: Request, res: Response): Promise { try { - const path = removeLastSlash(decodeURI(req.url)) + const path = removeLastSlash(decodeURIComponent(req.url)) const parentPath = pathModule.posix.dirname(path) const name = pathModule.posix.basename(path) const thisResource = await this.server.pathToResource(req, path) diff --git a/src/index.ts b/src/index.ts index e3e37d2..324e0b4 100644 --- a/src/index.ts +++ b/src/index.ts @@ -274,7 +274,7 @@ export class WebDAVServer { * @returns {ISemaphore} */ public getRWMutexForUser(path: string, username?: string): ISemaphore { - path = removeLastSlash(decodeURI(path)) + path = removeLastSlash(decodeURIComponent(path)) if (!username) { return new Semaphore(1) @@ -302,7 +302,7 @@ export class WebDAVServer { * @returns {Promise} */ public async urlToResource(req: Request): Promise { - const url = decodeURI(req.url) + const url = decodeURIComponent(req.url) const path = url === "/" ? url : removeLastSlash(url) if (this.getVirtualFilesForUser(req.username)[path]) { diff --git a/src/responses.ts b/src/responses.ts index 53848cb..04160f0 100644 --- a/src/responses.ts +++ b/src/responses.ts @@ -29,7 +29,10 @@ export class Responses { "xmlns:D": "DAV:" }, "D:response": resources.map(resource => ({ - "D:href": `${encodeURI(resource.url)}`, + "D:href": `${resource.url + .split("/") + .map(part => encodeURIComponent(part)) + .join("/")}`, ["D:propstat"]: { "D:prop": { "D:getlastmodified": new Date(resource.mtimeMs).toUTCString(), @@ -80,7 +83,10 @@ export class Responses { "xmlns:D": "DAV:" }, "D:response": { - "D:href": `${encodeURI(url)}`, + "D:href": `${url + .split("/") + .map(part => encodeURIComponent(part)) + .join("/")}`, ["D:propstat"]: { "D:prop": {}, "D:status": "HTTP/1.1 207 Multi-Status" @@ -111,7 +117,10 @@ export class Responses { "xmlns:D": "DAV:" }, "D:response": { - "D:href": `${encodeURI(url)}`, + "D:href": `${url + .split("/") + .map(part => encodeURIComponent(part)) + .join("/")}`, ["D:propstat"]: { "D:prop": {}, "D:status": "HTTP/1.1 404 NOT FOUND"