ReverseProxy fails incorrectly if there are spaces in the url
If the media proxy is enabled for remote media, and the remote media has a space in the url, e.g. the custom emoji https://social.deadsuperhero.com/emoji/US Military/20201019_163402.png
in the profile name of "https://social.deadsuperhero.com/users/sean", the Pleroma.ReverseProxy.call/3
fails to retrieve the emoji but instead gets a status 200 text/html
response (the Pleroma front page). If you change the space to %20
it works fine.
With the space:
iex(...)2> Pleroma.ReverseProxy.call(%Plug.Conn{method: "GET"}, "https://social.deadsuperhero.com/emoji/US Military/20201019_163402.png")
00:51:35.748 [debug] Elixir.Pleroma.ReverseProxy GET https://social.deadsuperhero.com/emoji/US Military/20201019_163402.png []
00:51:36.363 [debug] Elixir.Pleroma.ReverseProxy 200 https://social.deadsuperhero.com/emoji/US Military/20201019_163402.png [{"server", "nginx/1.14.2"}, {"date", "Sat, 26 Dec 2020 00:51:36 GMT"}, {"content-type", "text/html; charset=utf-8"}, {"content-length", "7133"}, {"connection", "keep-alive"}, {"vary", "Accept-Encoding"}, {"access-control-allow-credentials", "true"}, {"access-control-allow-origin", "*"}, {"access-control-expose-headers", "Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key"}, {"cache-control", "max-age=0, private, must-revalidate"}, {"content-security-policy", "upgrade-insecure-requests;script-src 'self';connect-src 'self' blob: https://social.deadsuperhero.com wss://social.deadsuperhero.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src 'self';"}, {"referrer-policy", "same-origin"}, {"x-content-type-options", "nosniff"}, {"x-download-options", "noopen"}, {"x-frame-options", "DENY"}, {"x-permitted-cross-domain-policies", "none"}, {"x-request-id", "FlQd8vnPZKcAXwgBNBKB"}, {"x-xss-protection", "1; mode=block"}]
With %20
:
iex(...)1> Pleroma.ReverseProxy.call(%Plug.Conn{method: "GET"}, "https://social.deadsuperhero.com/emoji/US%20Military/20201019_163402.png")
00:39:10.308 [debug] Elixir.Pleroma.ReverseProxy GET https://social.deadsuperhero.com/emoji/US%20Military/20201019_163402.png []
00:39:10.942 [debug] Elixir.Pleroma.ReverseProxy 200 https://social.deadsuperhero.com/emoji/US%20Military/20201019_163402.png [{"server", "nginx/1.14.2"}, {"date", "Sat, 26 Dec 2020 00:39:10 GMT"}, {"content-type", "image/png"}, {"content-length", "7140"}, {"connection", "keep-alive"}, {"accept-ranges", "bytes"}, {"access-control-allow-credentials", "true"}, {"access-control-allow-origin", "*"}, {"access-control-expose-headers", "Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key"}, {"cache-control", "public, no-cache"}, {"content-security-policy", "upgrade-insecure-requests;script-src 'self';connect-src 'self' blob: https://social.deadsuperhero.com wss://social.deadsuperhero.com;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src 'self';"}, {"etag", "\"6E857F2\""}, {"referrer-policy", "same-origin"}, {"vary", "Accept-Encoding"}, {"x-content-type-options", "nosniff"}, {"x-download-options", "noopen"}, {"x-frame-options", "DENY"}, {"x-permitted-cross-domain-policies", "none"}, {"x-xss-protection", "1; mode=block"}]
I think it should have failed upon receiving an incorrect content type even though it has a 200 status code, or it should have url-encoded the url (or both).
(On stable 2.2.1, from source, Elixir 1.11.2, Erlang/OTP 23, Debian 9.13)