Skip to content

Commit 66a3353

Browse files
zeripathtechknowlogick
zeripath
authored and
techknowlogick
committed
Properly escape on the redirect from the web editor (#6657) (#6667)
1 parent 5236d8a commit 66a3353

File tree

1 file changed

+8
-7
lines changed

1 file changed

+8
-7
lines changed

routers/repo/editor.go

+8-7
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"code.gitea.io/gitea/modules/setting"
2121
"code.gitea.io/gitea/modules/templates"
2222
"code.gitea.io/gitea/modules/uploader"
23+
"code.gitea.io/gitea/modules/util"
2324
)
2425

2526
const (
@@ -66,9 +67,9 @@ func editFile(ctx *context.Context, isNewFile bool) {
6667
treePath := cleanUploadFileName(ctx.Repo.TreePath)
6768
if treePath != ctx.Repo.TreePath {
6869
if isNewFile {
69-
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_new", ctx.Repo.BranchName, treePath))
70+
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_new", util.PathEscapeSegments(ctx.Repo.BranchName), util.PathEscapeSegments(treePath)))
7071
} else {
71-
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_edit", ctx.Repo.BranchName, treePath))
72+
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_edit", util.PathEscapeSegments(ctx.Repo.BranchName), util.PathEscapeSegments(treePath)))
7273
}
7374
return
7475
}
@@ -324,7 +325,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
324325
return
325326
}
326327

327-
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName + "/" + strings.NewReplacer("%", "%25", "#", "%23", " ", "%20", "?", "%3F").Replace(form.TreePath))
328+
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + util.PathEscapeSegments(branchName) + "/" + util.PathEscapeSegments(form.TreePath))
328329
}
329330

330331
// EditFilePost response for editing file
@@ -376,7 +377,7 @@ func DeleteFile(ctx *context.Context) {
376377
treePath := cleanUploadFileName(ctx.Repo.TreePath)
377378

378379
if treePath != ctx.Repo.TreePath {
379-
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_delete", ctx.Repo.BranchName, treePath))
380+
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_delete", util.PathEscapeSegments(ctx.Repo.BranchName), util.PathEscapeSegments(treePath)))
380381
return
381382
}
382383

@@ -460,7 +461,7 @@ func DeleteFilePost(ctx *context.Context, form auth.DeleteRepoFileForm) {
460461
}
461462

462463
ctx.Flash.Success(ctx.Tr("repo.editor.file_delete_success", ctx.Repo.TreePath))
463-
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName)
464+
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + util.PathEscapeSegments(branchName))
464465
}
465466

466467
func renderUploadSettings(ctx *context.Context) {
@@ -477,7 +478,7 @@ func UploadFile(ctx *context.Context) {
477478
canCommit := renderCommitRights(ctx)
478479
treePath := cleanUploadFileName(ctx.Repo.TreePath)
479480
if treePath != ctx.Repo.TreePath {
480-
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_upload", ctx.Repo.BranchName, treePath))
481+
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "_upload", util.PathEscapeSegments(ctx.Repo.BranchName), util.PathEscapeSegments(treePath)))
481482
return
482483
}
483484
ctx.Repo.TreePath = treePath
@@ -596,7 +597,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
596597
return
597598
}
598599

599-
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName + "/" + form.TreePath)
600+
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + util.PathEscapeSegments(branchName) + "/" + util.PathEscapeSegments(form.TreePath))
600601
}
601602

602603
func cleanUploadFileName(name string) string {

0 commit comments

Comments
 (0)