#1136 mod_http_files: Double URL-decoding of paths

Reporter hoellen
Owner Nobody
Stars ★ (1)
  • Priority-Medium
  • Status-Accepted
  • Type-Defect
  1. hoellen on

    What steps will reproduce the problem? 1. Upload an file (in gajim!) with spaces in name 2. Try to download this file What is the expected output? Downloading the file works. What do you see instead? Could not find file. 404 Error. What version of the product are you using? On what operating system? Prosody 0.10 CentOS Linux release 7.4.1708 (Core) Kernel: 3.10.0-693 Please provide any additional information below. - Works with files without spaces in name (any client). - Works with spaces in name if I use Conversation. If I use Conversation to upload the file it saves the file under "/var/lib/prosody/upload/HASH/file with spaces.png" Then I get the following link: "https://domain.com:5281/upload/HASH/file%20with%spaces.png" => works If I use Gajim it encodes the spaces in URL to "%20" and then encodes the '%' to %25, so there is %2520: So the file exists in "/var/lib/prosody/upload/HASH/file%20with%20spaces.png" And the URL i get is: "https://domain.com:5281/upload/HASH/file%2520with%2520spaces.png" => 404 not found

  2. Zash on

    Turns out this isn't a problem with mod_http_upload, but with Prosodys built-in HTTP server and mod_http_files (which handles file serving for mod_http_upload).

    • title http upload file not find (spaces in name) mod_http_files: Double URL-decoding of paths
    • tags Status-Accepted
  3. Zash on

    Also, thanks for the report! Note that this is also a bug in Gajim, it should not send %-encoded file names in the HTTP Upload slot request protocol.

  4. hoellen on

    Thanks. I report that issue to gajim (https://dev.gajim.org/gajim/gajim/issues/9112)

New comment

Not published. Used for spam prevention and optional update notifications.