make sure the url used by proxy is same as origin url

encoding or decoding it breaks some of the signed url
This commit is contained in:
Sachin Joshi 2019-07-07 14:13:40 +05:45
parent 3589b30ddc
commit f5ad430974
2 changed files with 6 additions and 24 deletions

View File

@ -33,20 +33,7 @@ defp whitelisted?(url) do
def encode_url(url) do def encode_url(url) do
secret = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base]) secret = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base])
base64 = Base.url_encode64(url, @base64_opts)
# Must preserve `%2F` for compatibility with S3
# https://git.pleroma.social/pleroma/pleroma/issues/580
replacement = get_replacement(url, ":2F:")
# The URL is url-decoded and encoded again to ensure it is correctly encoded and not twice.
base64 =
url
|> String.replace("%2F", replacement)
|> URI.decode()
|> URI.encode()
|> String.replace(replacement, "%2F")
|> Base.url_encode64(@base64_opts)
sig = :crypto.hmac(:sha, secret, base64) sig = :crypto.hmac(:sha, secret, base64)
sig64 = sig |> Base.url_encode64(@base64_opts) sig64 = sig |> Base.url_encode64(@base64_opts)
@ -80,12 +67,4 @@ def build_url(sig_base64, url_base64, filename \\ nil) do
|> Enum.filter(fn value -> value end) |> Enum.filter(fn value -> value end)
|> Path.join() |> Path.join()
end end
defp get_replacement(url, replacement) do
if String.contains?(url, replacement) do
get_replacement(url, replacement <> replacement)
else
replacement
end
end
end end

View File

@ -70,9 +70,12 @@ test "encodes and decodes URL and ignores query params for the path" do
assert decode_result(encoded) == url assert decode_result(encoded) == url
end end
test "ensures urls are url-encoded" do # Some of the signed url expect the special character in the url to be same
# for the proxy to work.
# Issue https://git.pleroma.social/pleroma/pleroma/issues/1055
test "ensures urls are maintained (character are not encoded or decoded)" do
assert decode_result(url("https://pleroma.social/Hello world.jpg")) == assert decode_result(url("https://pleroma.social/Hello world.jpg")) ==
"https://pleroma.social/Hello%20world.jpg" "https://pleroma.social/Hello world.jpg"
assert decode_result(url("https://pleroma.social/Hello%20world.jpg")) == assert decode_result(url("https://pleroma.social/Hello%20world.jpg")) ==
"https://pleroma.social/Hello%20world.jpg" "https://pleroma.social/Hello%20world.jpg"