Commit 8fa5c66e authored by lain's avatar lain
Browse files

Merge branch 'fix/media-proxy-url-encoded' into 'develop'

Media proxy: fix url encoding

See merge request !521
parents 4976a8b0 bdc8112e
Pipeline #5112 canceled with stages
...@@ -24,7 +24,12 @@ def remote(conn, params = %{"sig" => sig64, "url" => url64}) do ...@@ -24,7 +24,12 @@ def remote(conn, params = %{"sig" => sig64, "url" => url64}) do
end end
def filename_matches(has_filename, path, url) do def filename_matches(has_filename, path, url) do
filename = MediaProxy.filename(url) filename =
url
|> MediaProxy.filename()
|> URI.decode()
path = URI.decode(path)
cond do cond do
has_filename && filename && Path.basename(path) != filename -> {:wrong_filename, filename} has_filename && filename && Path.basename(path) != filename -> {:wrong_filename, filename}
......
...@@ -14,7 +14,14 @@ def url(url) do ...@@ -14,7 +14,14 @@ def url(url) do
url url
else else
secret = Application.get_env(:pleroma, Pleroma.Web.Endpoint)[:secret_key_base] secret = Application.get_env(:pleroma, Pleroma.Web.Endpoint)[:secret_key_base]
base64 = Base.url_encode64(url, @base64_opts)
# The URL is url-decoded and encoded again to ensure it is correctly encoded and not twice.
base64 =
url
|> URI.decode()
|> URI.encode()
|> Base.url_encode64(@base64_opts)
sig = :crypto.hmac(:sha, secret, base64) sig = :crypto.hmac(:sha, secret, base64)
sig64 = sig |> Base.url_encode64(@base64_opts) sig64 = sig |> Base.url_encode64(@base64_opts)
......
defmodule Pleroma.MediaProxyTest do defmodule Pleroma.MediaProxyTest do
use ExUnit.Case use ExUnit.Case
import Pleroma.Web.MediaProxy import Pleroma.Web.MediaProxy
alias Pleroma.Web.MediaProxy.MediaProxyController
describe "when enabled" do describe "when enabled" do
setup do setup do
...@@ -65,6 +66,14 @@ test "encodes and decodes URL and ignores query params for the path" do ...@@ -65,6 +66,14 @@ test "encodes and decodes URL and ignores query params for the path" do
assert decode_result(encoded) == url assert decode_result(encoded) == url
end end
test "ensures urls are url-encoded" do
assert decode_result(url("https://pleroma.social/Hello world.jpg")) ==
"https://pleroma.social/Hello%20world.jpg"
assert decode_result(url("https://pleroma.social/Hello%20world.jpg")) ==
"https://pleroma.social/Hello%20world.jpg"
end
test "validates signature" do test "validates signature" do
secret_key_base = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base]) secret_key_base = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base])
...@@ -83,6 +92,34 @@ test "validates signature" do ...@@ -83,6 +92,34 @@ test "validates signature" do
assert decode_url(sig, base64) == {:error, :invalid_signature} assert decode_url(sig, base64) == {:error, :invalid_signature}
end end
test "filename_matches matches url encoded paths" do
assert MediaProxyController.filename_matches(
true,
"/Hello%20world.jpg",
"http://pleroma.social/Hello world.jpg"
) == :ok
assert MediaProxyController.filename_matches(
true,
"/Hello%20world.jpg",
"http://pleroma.social/Hello%20world.jpg"
) == :ok
end
test "filename_matches matches non-url encoded paths" do
assert MediaProxyController.filename_matches(
true,
"/Hello world.jpg",
"http://pleroma.social/Hello%20world.jpg"
) == :ok
assert MediaProxyController.filename_matches(
true,
"/Hello world.jpg",
"http://pleroma.social/Hello world.jpg"
) == :ok
end
test "uses the configured base_url" do test "uses the configured base_url" do
base_url = Pleroma.Config.get([:media_proxy, :base_url]) base_url = Pleroma.Config.get([:media_proxy, :base_url])
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment