From 0c93e5ed02ab39ed598f8e4b6e9542d5574148b8 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Wed, 16 Dec 2020 21:38:56 -0800 Subject: [PATCH] Properly handle decoding paths --- router/error.go | 7 +++++++ router/router_server_files.go | 14 ++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/router/error.go b/router/error.go index deea8f6..81735b8 100644 --- a/router/error.go +++ b/router/error.go @@ -83,6 +83,13 @@ func (e *RequestError) AbortWithStatus(status int, c *gin.Context) { return } + if strings.HasPrefix(e.err.Error(), "invalid URL escape") { + c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{ + "error": "Some of the data provided in the request appears to be escaped improperly.", + }) + return + } + // If this is a Filesystem error just return it without all of the tracking code nonsense // since we don't need to be logging it into the logs or anything, its just a normal error // that the user can solve on their end. diff --git a/router/router_server_files.go b/router/router_server_files.go index 6edad0b..9d6f94f 100644 --- a/router/router_server_files.go +++ b/router/router_server_files.go @@ -22,7 +22,12 @@ import ( // Returns the contents of a file on the server. func getServerFileContents(c *gin.Context) { s := GetServer(c.Param("server")) - p := "/" + strings.TrimLeft(c.Query("file"), "/") + f, err := url.QueryUnescape(c.Query("file")) + if err != nil { + WithError(c, err) + return + } + p := "/" + strings.TrimLeft(f, "/") st, err := s.Filesystem().Stat(p) if err != nil { NewServerError(err, s).AbortFilesystemError(c) @@ -57,7 +62,12 @@ func getServerFileContents(c *gin.Context) { // Returns the contents of a directory for a server. func getServerListDirectory(c *gin.Context) { s := ExtractServer(c) - if stats, err := s.Filesystem().ListDirectory(c.Query("directory")); err != nil { + dir, err := url.QueryUnescape(c.Query("directory")) + if err != nil { + WithError(c, err) + return + } + if stats, err := s.Filesystem().ListDirectory(dir); err != nil { WithError(c, err) } else { c.JSON(http.StatusOK, stats)