Skip to content

fix: signed URLs containing a hash #415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rhafer merged 1 commit into from
Nov 12, 2025
Merged

fix: signed URLs containing a hash #415

rhafer merged 1 commit into from
Nov 12, 2025

Conversation

@JammingBen
Copy link

@JammingBen JammingBen commented Nov 12, 2025
edited
Loading

Encodes singed URLs so they can be resolved properly.

fixes opencloud-eu/opencloud#1808

@JammingBen JammingBen self-assigned this Nov 12, 2025
@JammingBen JammingBen force-pushed the fix/signed-urls-containing-hash branch from c3fbd9e to 2d44993 Compare November 12, 2025 13:01
@JammingBen JammingBen marked this pull request as ready for review November 12, 2025 13:14
@JammingBen
Copy link
Author

JammingBen commented Nov 12, 2025

@rhafer I thought I'd give this a shot, not sure if it's the best approach though. Also maybe there's a better utility method for encoding hashes? I think fully encoding the URL (including all slashes etc.) might be a bit too much.

@JammingBen JammingBen requested a review from rhafer November 12, 2025 13:16
@rhafer
Copy link

rhafer commented Nov 12, 2025

@rhafer I thought I'd give this a shot, not sure if it's the best approach though. Also maybe there's a better utility method for encoding hashes? I think fully encoding the URL (including all slashes etc.) might be a bit too much.

Thanks for looking into this. I think just replacing the # is not enough there are other characters that would need escaping when present in the path .

Provided that the path coming into the downloadURL function is not already partially escaped (I don't really know that from the top of my head) I think the proper fix would involve spliting the path into it's individual parts ( using strings.Split(path, "/') ) and then using url.JoinPath to get the correctly escaped path and use that construct the URL that you want to sign.

@JammingBen JammingBen force-pushed the fix/signed-urls-containing-hash branch from 2d44993 to 246fe8c Compare November 12, 2025 14:30
@JammingBen
Copy link
Author

JammingBen commented Nov 12, 2025

Provided that the path coming into the downloadURL function is not already partially escaped (I don't really know that from the top of my head) I think the proper fix would involve spliting the path into it's individual parts ( using strings.Split(path, "/') ) and then using url.JoinPath to get the correctly escaped path and use that construct the URL that you want to sign.

The path doesn't look escaped to me, I've tried it in authenticated and unauthenticated contexts.

rhafer
rhafer requested changes Nov 12, 2025
View reviewed changes
internal/http/services/owncloud/ocdav/propfind/propfind.go Outdated
for i := range pathParts {
pathParts[i] = url.PathEscape(pathParts[i])
}
encodedPath := strings.Join(pathParts, "/")
Copy link

@rhafer rhafer Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of the loop and the strings.Join I'd suggest to use:

encodedPath, err := url.JoinPath("", parts...)

That does the whole thing in one go.

Copy link
Author

@JammingBen JammingBen Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost, it loses the leading /. I changed it to url.JoinPath("/", parts...). Which results in it always including a leading /, even if the given path doesn't have it initially. Which would probably not be an issue...? Or do you think it's better to check for that as well?

Copy link

@rhafer rhafer Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When do you get a leading /? Does that ever happen?

Copy link
Author

@JammingBen JammingBen Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my observations, the given path always has a leading /. So it just stays this way. But if there would be a path without it, encodedPath would still end up with a leading / now. But again, that doesn't seem to happen, at least not that I can see.

Copy link

@rhafer rhafer Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. Then your change should be fine.

@JammingBen
fix: signed URLs containing a hash
4545dd5 
Encodes singed URLs so they can be resolved properly.
@JammingBen JammingBen force-pushed the fix/signed-urls-containing-hash branch from 246fe8c to 4545dd5 Compare November 12, 2025 15:26
@rhafer rhafer merged commit 84501d4 into main Nov 12, 2025
19 checks passed
@rhafer rhafer deleted the fix/signed-urls-containing-hash branch November 12, 2025 15:56
@openclouders openclouders mentioned this pull request Nov 12, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhafer rhafer rhafer approved these changes

Assignees

@JammingBen JammingBen

Labels

Type:Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Signed URL doesn't work if file name includes #

3 participants

@JammingBen @rhafer