-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use net/url to escape paths in web-ui #2092
Conversation
License: MIT Signed-off-by: Adrian Ulrich <adrian@blinkenlights.ch>
@adrian-bl for the license signoff thing, you can just amend your commit and force push (saves notification noise). Also, don't worry about the vendor directory stuff. Thats all going to be 'fixed' after 0.4.0 with gx, so i'll handle it all then. |
@whyrusleeping ok, thanks. I already configured a git hook, so it shouldn't happen anymore anyways :-) |
// custom template-escaping function to escape a full path, including '#' and '?' | ||
urlEscape := func(rawUrl string) string { | ||
pathUrl := url.URL{Path: rawUrl} | ||
return pathUrl.String() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks right to me
@adrian-bl this LGTM! thanks! i think we want a test to go in with this PR though to ensure it's not broken in the future.
cc @cryptix as he knows this area better than me. |
Same file :) The "backlinks" related code |
Does this also fix request URIs containing escaped characters, as in #2061 (comment)? |
@lgierth Yes, as net/url escapes the whole path according to RFC 3986, so the percent sign itself will be escaped to '%25':
About the testing: IMO, the simplest way to test this would be to rename the 'foo' directory into something that needs escaping (adding a new directory would just duplicate most of the testing code). I hacked this up here: https://gist.github.com/adrian-bl/74fb3eb3a91ee58691a5 |
I just verified this pr by testing the directory listing directly; it works. This test can be added to sharness either here or in dir-index-html repo test_expect_success "gateway dir listing escapes the characters" '
mkdir -p ttt &&
echo foo >ttt/@\#\#_\? &&
ipfs add -r ttt &&
curl 'localhost:8080/ipfs/QmantKYPCRwwifWxr3DcrqrStqULS4vJ7x1n9R8B4gCSrJ/' >curl_out &&
grep "QmantKYPCRwwifWxr3DcrqrStqULS4vJ7x1n9R8B4gCSrJ/@%23%23_%3F" curl_out
' |
@rht thanks for resurfacing this + the review. want to pick this up and rebase the PR on top of master + add test? |
ping @noffle, think you could pick this up? |
This change uses net/url to escape href's in the gateway directory listing instead of the builtin escaper by html/template which does not escape fragments (#) and other characters such as '?'.
Example:
Fixes #2061
Note: I'm not sure about what to do with the vendor dir: should i re-publish it to ipfs and use the new hash? i was unable to find (and re-construct, using ipfs add -r) the currently used hash.