Fix plus sign in path bug with downloads & uploads

2024-08-30 18:23:09 +00:00 · 2022-11-30 20:28:24 -05:00 · 2022-11-30 20:28:24 -05:00 · 0c9ee0e0e0
commit 0c9ee0e0e0
parent 17744b72ae
6 changed files with 20 additions and 12 deletions
--- a/app/classes/web/ajax_handler.py
+++ b/app/classes/web/ajax_handler.py
@ -4,6 +4,7 @@ import pathlib
 import re
 import logging
 import time
+import urllib.parse
 import bleach
 import tornado.web
 import tornado.escape
@ -507,7 +508,7 @@ class AjaxHandler(BaseHandler):
                    self.redirect("/panel/dashboard")

        elif page == "unzip_server":
-            path = self.get_argument("path", None)
+            path = urllib.parse.unquote(self.get_argument("path", None))
            if not path:
                path = os.path.join(
                    self.controller.project_root,
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@ -7,6 +7,7 @@ import json
 import logging
 import threading
 import shlex
+import urllib.parse
 import bleach
 import requests
 import tornado.web
@ -1386,9 +1387,10 @@ class PanelHandler(BaseHandler):
            template = "panel/activity_logs.html"

        elif page == "download_file":
-            file = Helpers.get_os_understandable_path(self.get_argument("path", ""))
-            name = self.get_argument("name", "")
-
+            file = Helpers.get_os_understandable_path(
+                urllib.parse.unquote(self.get_argument("path", ""))
+            )
+            name = urllib.parse.unquote(self.get_argument("name", ""))
            server_id = self.check_server_id()
            if server_id is None:
                return
--- a/app/classes/web/upload_handler.py
+++ b/app/classes/web/upload_handler.py
@ -1,6 +1,7 @@
 import logging
 import os
 import time
+import urllib.parse
 import tornado.web
 import tornado.options
 import tornado.httpserver
@ -108,7 +109,9 @@ class UploadHandler(BaseHandler):
                        logger.debug("Could not delete file on user server upload")

            self.helper.ensure_dir_exists(path)
-            filename = self.request.headers.get("X-FileName", None)
+            filename = urllib.parse.unquote(
+                self.request.headers.get("X-FileName", None)
+            )
            if not str(filename).endswith(".zip"):
                self.helper.websocket_helper.broadcast("close_upload_box", "error")
                self.finish("error")
--- a/app/frontend/templates/panel/server_files.html
+++ b/app/frontend/templates/panel/server_files.html
@ -1027,7 +1027,9 @@
  function downloadFileE(event) {
    path = event.target.parentElement.getAttribute('data-path');
    name = event.target.parentElement.getAttribute('data-name');
-    window.location.href = `/panel/download_file?id=${serverId}&path=${path}&name=${name}`;
+    encoded_path = encodeURIComponent(path)
+    encoded_name = encodeURIComponent(name)
+    window.location.href = `/panel/download_file?id=${serverId}&path=${encoded_path}&name=${encoded_name}`;
  }

  function renameItemE(event) {
--- a/app/frontend/templates/server/bedrock_wizard.html
+++ b/app/frontend/templates/server/bedrock_wizard.html
@ -565,7 +565,7 @@
    document.getElementById("upload_input").innerHTML = '<div class="progress"><div class="progress-bar progress-bar-striped progress-bar-animated" role="progressbar" aria-valuenow="100" aria-valuemin="0" aria-valuemax="100" style="width: 100%">&nbsp;<i class="fa-solid fa-spinner"></i></div></div>'
    let xmlHttpRequest = new XMLHttpRequest();
    let token = getCookie("_xsrf")
-    let fileName = file.name
+    let fileName = encodeURIComponent(file.name)
    let target = '/upload'
    let mimeType = file.type
    let size = file.size
@ -610,7 +610,7 @@
      $.ajax({
        type: "POST",
        headers: { 'X-XSRFToken': token },
-        url: '/ajax/unzip_server?id=-1&file=' + file.name,
+        url: '/ajax/unzip_server?id=-1&file=' + encodeURIComponent(file.name),
      });
    } else {
      bootbox.alert("You must input a path before selecting this button");
@ -663,7 +663,7 @@
      $.ajax({
        type: "POST",
        headers: { 'X-XSRFToken': token },
-        url: '/ajax/unzip_server?id=-1&path=' + path,
+        url: '/ajax/unzip_server?id=-1&path=' + encodeURIComponent(path),
      });
    } else {
      bootbox.alert("You must input a path before selecting this button");
--- a/app/frontend/templates/server/wizard.html
+++ b/app/frontend/templates/server/wizard.html
@ -788,7 +788,7 @@
      $.ajax({
        type: "POST",
        headers: { 'X-XSRFToken': token },
-        url: '/ajax/unzip_server?id=-1&path=' + path,
+        url: '/ajax/unzip_server?id=-1&path=' + encodeURIComponent(path),
      });
    } else {
      bootbox.alert("You must input a path before selecting this button");
@ -853,7 +853,7 @@
        $.ajax({
          type: "POST",
          headers: { 'X-XSRFToken': token },
-          url: '/ajax/unzip_server?id=-1&path=' + path,
+          url: '/ajax/unzip_server?id=-1&path=' + encodeURIComponent(path),
        });
      } else {
        bootbox.alert("You must input a path before selecting this button");
@ -875,7 +875,7 @@
        $.ajax({
          type: "POST",
          headers: { 'X-XSRFToken': token },
-          url: '/ajax/unzip_server?id=-1&file=' + file.name,
+          url: '/ajax/unzip_server?id=-1&file=' + encodeURIComponent(file.name),
        });
      } else {
        bootbox.alert("You must input a path before selecting this button");