diff --git a/app/classes/web/ajax_handler.py b/app/classes/web/ajax_handler.py index fe3fb14f..61e2c40d 100644 --- a/app/classes/web/ajax_handler.py +++ b/app/classes/web/ajax_handler.py @@ -4,6 +4,7 @@ import pathlib import re import logging import time +import urllib.parse import bleach import tornado.web import tornado.escape @@ -507,7 +508,7 @@ class AjaxHandler(BaseHandler): self.redirect("/panel/dashboard") elif page == "unzip_server": - path = self.get_argument("path", None) + path = urllib.parse.unquote(self.get_argument("path", None)) if not path: path = os.path.join( self.controller.project_root, diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index d64774bd..24ab74a7 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -7,6 +7,7 @@ import json import logging import threading import shlex +import urllib.parse import bleach import requests import tornado.web @@ -1386,9 +1387,10 @@ class PanelHandler(BaseHandler): template = "panel/activity_logs.html" elif page == "download_file": - file = Helpers.get_os_understandable_path(self.get_argument("path", "")) - name = self.get_argument("name", "") - + file = Helpers.get_os_understandable_path( + urllib.parse.unquote(self.get_argument("path", "")) + ) + name = urllib.parse.unquote(self.get_argument("name", "")) server_id = self.check_server_id() if server_id is None: return diff --git a/app/classes/web/upload_handler.py b/app/classes/web/upload_handler.py index 2de4fe1f..785d5783 100644 --- a/app/classes/web/upload_handler.py +++ b/app/classes/web/upload_handler.py @@ -1,6 +1,7 @@ import logging import os import time +import urllib.parse import tornado.web import tornado.options import tornado.httpserver @@ -108,7 +109,9 @@ class UploadHandler(BaseHandler): logger.debug("Could not delete file on user server upload") self.helper.ensure_dir_exists(path) - filename = self.request.headers.get("X-FileName", None) + filename = urllib.parse.unquote( + self.request.headers.get("X-FileName", None) + ) if not str(filename).endswith(".zip"): self.helper.websocket_helper.broadcast("close_upload_box", "error") self.finish("error") diff --git a/app/frontend/templates/panel/server_files.html b/app/frontend/templates/panel/server_files.html index ebcf0d3b..af287b43 100644 --- a/app/frontend/templates/panel/server_files.html +++ b/app/frontend/templates/panel/server_files.html @@ -1027,7 +1027,9 @@ function downloadFileE(event) { path = event.target.parentElement.getAttribute('data-path'); name = event.target.parentElement.getAttribute('data-name'); - window.location.href = `/panel/download_file?id=${serverId}&path=${path}&name=${name}`; + encoded_path = encodeURIComponent(path) + encoded_name = encodeURIComponent(name) + window.location.href = `/panel/download_file?id=${serverId}&path=${encoded_path}&name=${encoded_name}`; } function renameItemE(event) { diff --git a/app/frontend/templates/server/bedrock_wizard.html b/app/frontend/templates/server/bedrock_wizard.html index 8b9839e1..a29afcf8 100644 --- a/app/frontend/templates/server/bedrock_wizard.html +++ b/app/frontend/templates/server/bedrock_wizard.html @@ -565,7 +565,7 @@ document.getElementById("upload_input").innerHTML = '
 
' let xmlHttpRequest = new XMLHttpRequest(); let token = getCookie("_xsrf") - let fileName = file.name + let fileName = encodeURIComponent(file.name) let target = '/upload' let mimeType = file.type let size = file.size @@ -610,7 +610,7 @@ $.ajax({ type: "POST", headers: { 'X-XSRFToken': token }, - url: '/ajax/unzip_server?id=-1&file=' + file.name, + url: '/ajax/unzip_server?id=-1&file=' + encodeURIComponent(file.name), }); } else { bootbox.alert("You must input a path before selecting this button"); @@ -663,7 +663,7 @@ $.ajax({ type: "POST", headers: { 'X-XSRFToken': token }, - url: '/ajax/unzip_server?id=-1&path=' + path, + url: '/ajax/unzip_server?id=-1&path=' + encodeURIComponent(path), }); } else { bootbox.alert("You must input a path before selecting this button"); diff --git a/app/frontend/templates/server/wizard.html b/app/frontend/templates/server/wizard.html index 8346ca92..fd8d3773 100644 --- a/app/frontend/templates/server/wizard.html +++ b/app/frontend/templates/server/wizard.html @@ -788,7 +788,7 @@ $.ajax({ type: "POST", headers: { 'X-XSRFToken': token }, - url: '/ajax/unzip_server?id=-1&path=' + path, + url: '/ajax/unzip_server?id=-1&path=' + encodeURIComponent(path), }); } else { bootbox.alert("You must input a path before selecting this button"); @@ -853,7 +853,7 @@ $.ajax({ type: "POST", headers: { 'X-XSRFToken': token }, - url: '/ajax/unzip_server?id=-1&path=' + path, + url: '/ajax/unzip_server?id=-1&path=' + encodeURIComponent(path), }); } else { bootbox.alert("You must input a path before selecting this button"); @@ -875,7 +875,7 @@ $.ajax({ type: "POST", headers: { 'X-XSRFToken': token }, - url: '/ajax/unzip_server?id=-1&file=' + file.name, + url: '/ajax/unzip_server?id=-1&file=' + encodeURIComponent(file.name), }); } else { bootbox.alert("You must input a path before selecting this button");