Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Both repository/contents API endpoints return 500 when a file contains a '%' sign #22843

Closed
SolarBear opened this issue Feb 9, 2023 · 0 comments · Fixed by #22850
Closed

Both repository/contents API endpoints return 500 when a file contains a '%' sign #22843

SolarBear opened this issue Feb 9, 2023 · 0 comments · Fixed by #22850
Labels
type/bug

Comments

@SolarBear
Copy link

SolarBear commented Feb 9, 2023
edited
Loading

Description

This bug can be found in both GET endpoints: repository/contents as well as repository/contents/{filepath}

One can reproduce this bug fairly easily:

  1. Create a new repository. I called mine testpct.
  2. Clone the empty repository locally.
  3. Add a file whose name contains a '%' sign (e.g. hello%mother.txt)
  4. Add, commit and push this file.
  5. Using the Swagger interface or some other REST client, make a GET API call to http://MYHOST/api/v1/repos/USERNAME/testpct/contents
  6. This results in a 500 error whose body is simply
{
  "message": "",
  "url": "http://localhost:3000/api/swagger"
}
  1. Back to your filesystem, create a folder called folder.
  2. Move the the file you've created into that subfolder.
  3. Make a GET call to http://MYHOST/api/v1/repos/USERNAME/testpct/contents/folder
  4. This results in the same error as the previous one.

For the record, I am well aware that having special characters in file names is bad and, no, changing these file names is not possible. :)

Gitea Version

1.17.0, 1.18.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

https://gist.github.com/SolarBear/66fe09b5817c1aab74fa5292bebc894d

Screenshots

No response

Git Version

No response

Operating System

Windows 10

How are you running Gitea?

  • Our server is running 1.17.0, downloaded (IIRC) from the gitea.com Downloads page. The server is running as a Windows service.
  • Seeing our old-ish version had a bug, I tried it locally using version 1.18.3, installed from Scoop, running from Powershell.
  • Also replicated directly on https://try.gitea.io/

Database

SQLite
@sillyguodong sillyguodong mentioned this issue Feb 10, 2023
Merged
lunny pushed a commit that referenced this issue Feb 12, 2023
@sillyguodong @zeripath
escape filename when assemble URL (#22850)
51ab495 
Fixes: #22843 

### Cause:

https://github.com/go-gitea/gitea/blob/affdd40296960a08a4223330ccbd1fb88c96ea1a/services/repository/files/content.go#L161

Previously, we did not escape the **"%"** that might be in "treePath"
when call "url.parse()".


![image](https://user-images.githubusercontent.com/33891828/218066318-5a909e50-2a17-46e6-b32f-684b2aa4b91f.png)

This function will check whether "%" is the beginning of an escape
character. Obviously, the "%" in the example (hello%mother.txt) is not
that. So, the function will return a error.

### Solution:
We can escape "treePath" by call "url.PathEscape()" function firstly.

### Screenshot:

![image](https://user-images.githubusercontent.com/33891828/218069781-1a030f8b-18d0-4804-b0f8-73997849ef43.png)

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
@yardenshoham yardenshoham mentioned this issue Feb 12, 2023
Merged
yardenshoham pushed a commit to yardenshoham/gitea that referenced this issue Feb 12, 2023
@sillyguodong @zeripath @yardenshoham
escape filename when assemble URL (go-gitea#22850)
bc86ee5 
Fixes: go-gitea#22843 

### Cause:

https://github.com/go-gitea/gitea/blob/affdd40296960a08a4223330ccbd1fb88c96ea1a/services/repository/files/content.go#L161

Previously, we did not escape the **"%"** that might be in "treePath"
when call "url.parse()".


![image](https://user-images.githubusercontent.com/33891828/218066318-5a909e50-2a17-46e6-b32f-684b2aa4b91f.png)

This function will check whether "%" is the beginning of an escape
character. Obviously, the "%" in the example (hello%mother.txt) is not
that. So, the function will return a error.

### Solution:
We can escape "treePath" by call "url.PathEscape()" function firstly.

### Screenshot:

![image](https://user-images.githubusercontent.com/33891828/218069781-1a030f8b-18d0-4804-b0f8-73997849ef43.png)

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit that referenced this issue Feb 12, 2023
@yardenshoham @sillyguodong @zeripath
escape filename when assemble URL (#22850) (#22871)
43d1183 
Backport #22850

Fixes: #22843 

### Cause:

https://github.com/go-gitea/gitea/blob/affdd40296960a08a4223330ccbd1fb88c96ea1a/services/repository/files/content.go#L161

Previously, we did not escape the **"%"** that might be in "treePath"
when call "url.parse()".


![image](https://user-images.githubusercontent.com/33891828/218066318-5a909e50-2a17-46e6-b32f-684b2aa4b91f.png)

This function will check whether "%" is the beginning of an escape
character. Obviously, the "%" in the example (hello%mother.txt) is not
that. So, the function will return a error.

### Solution:
We can escape "treePath" by call "url.PathEscape()" function firstly.

### Screenshot:

![image](https://user-images.githubusercontent.com/33891828/218069781-1a030f8b-18d0-4804-b0f8-73997849ef43.png)

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
Co-authored-by: Andrew Thornton <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

escape filename when assemble URL sillyguodong/gitea
1 participant
@SolarBear