BigW Consortium Gitlab

Correctly escape UTF-8 path elements for uploads

parent e56bcf92
---
title: Correctly escape UTF-8 path elements for uploads
merge_request: 16560
author:
type: fixed
...@@ -50,7 +50,7 @@ module Banzai ...@@ -50,7 +50,7 @@ module Banzai
end end
def process_link_to_upload_attr(html_attr) def process_link_to_upload_attr(html_attr)
path_parts = [html_attr.value] path_parts = [Addressable::URI.unescape(html_attr.value)]
if group if group
path_parts.unshift(relative_url_root, 'groups', group.full_path, '-') path_parts.unshift(relative_url_root, 'groups', group.full_path, '-')
...@@ -58,13 +58,13 @@ module Banzai ...@@ -58,13 +58,13 @@ module Banzai
path_parts.unshift(relative_url_root, project.full_path) path_parts.unshift(relative_url_root, project.full_path)
end end
path = File.join(*path_parts) path = Addressable::URI.escape(File.join(*path_parts))
html_attr.value = html_attr.value =
if context[:only_path] if context[:only_path]
path path
else else
URI.join(Gitlab.config.gitlab.base_url, path).to_s Addressable::URI.join(Gitlab.config.gitlab.base_url, path).to_s
end end
end end
......
...@@ -278,18 +278,19 @@ describe Banzai::Filter::RelativeLinkFilter do ...@@ -278,18 +278,19 @@ describe Banzai::Filter::RelativeLinkFilter do
expect(doc.at_css('a')['href']).to eq 'http://example.com' expect(doc.at_css('a')['href']).to eq 'http://example.com'
end end
it 'supports Unicode filenames' do it 'supports unescaped Unicode filenames' do
path = '/uploads/한글.png' path = '/uploads/한글.png'
escaped = Addressable::URI.escape(path) doc = filter(link(path))
# Stub these methods so the file doesn't actually need to be in the repo expect(doc.at_css('a')['href']).to eq("/#{project.full_path}/uploads/%ED%95%9C%EA%B8%80.png")
allow_any_instance_of(described_class) end
.to receive(:file_exists?).and_return(true)
allow_any_instance_of(described_class)
.to receive(:image?).with(path).and_return(true)
it 'supports escaped Unicode filenames' do
path = '/uploads/한글.png'
escaped = Addressable::URI.escape(path)
doc = filter(image(escaped)) doc = filter(image(escaped))
expect(doc.at_css('img')['src']).to match "/#{project.full_path}/uploads/%ED%95%9C%EA%B8%80.png"
expect(doc.at_css('img')['src']).to eq("/#{project.full_path}/uploads/%ED%95%9C%EA%B8%80.png")
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment