From 52d7335c2b1b8424e8971a9b03f51a5f36583535 Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Mon, 15 May 2023 10:48:05 -0600 Subject: [PATCH] fileserver: Use EscapedPath for browse (#5534) * fileserver: Use EscapedPath for browse Fix #5143 * Fixes if filter element is not present * Remove extraneous line --- modules/caddyhttp/fileserver/browse.go | 4 +- modules/caddyhttp/fileserver/browse.html | 5 ++- .../fileserver/browsetplcontext_test.go | 45 +++++++++++++++++-- 3 files changed, 47 insertions(+), 7 deletions(-) diff --git a/modules/caddyhttp/fileserver/browse.go b/modules/caddyhttp/fileserver/browse.go index e1a08942..7cb6e407 100644 --- a/modules/caddyhttp/fileserver/browse.go +++ b/modules/caddyhttp/fileserver/browse.go @@ -82,8 +82,8 @@ func (fsrv *FileServer) serveBrowse(root, dirPath string, w http.ResponseWriter, repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer) - // calling path.Clean here prevents weird breadcrumbs when URL paths are sketchy like /%2e%2e%2f - listing, err := fsrv.loadDirectoryContents(r.Context(), dir.(fs.ReadDirFile), root, path.Clean(r.URL.Path), repl) + // TODO: not entirely sure if path.Clean() is necessary here but seems like a safe plan (i.e. /%2e%2e%2f) - someone could verify this + listing, err := fsrv.loadDirectoryContents(r.Context(), dir.(fs.ReadDirFile), root, path.Clean(r.URL.EscapedPath()), repl) switch { case os.IsPermission(err): return caddyhttp.Error(http.StatusForbidden, err) diff --git a/modules/caddyhttp/fileserver/browse.html b/modules/caddyhttp/fileserver/browse.html index c893b640..2afea5ee 100644 --- a/modules/caddyhttp/fileserver/browse.html +++ b/modules/caddyhttp/fileserver/browse.html @@ -850,11 +850,11 @@ footer {