fix: correctly handle non-ascii passwords for shared resources

2022-02-21 20:47:28 +01:00 · 2022-02-21 20:47:28 +01:00 · c782f21b0f
parent 0942fc7042
commit c782f21b0f
2 changed files with 6 additions and 1 deletions
--- a/frontend/src/api/pub.js
+++ b/frontend/src/api/pub.js
@ -5,7 +5,7 @@ export async function fetch(url, password = "") {
  url = removePrefix(url);

  const res = await fetchURL(`/api/public/share${url}`, {
-    headers: { "X-SHARE-PASSWORD": password },
+    headers: { "X-SHARE-PASSWORD": encodeURIComponent(password) },
  });

  if (res.status === 200) {
--- a/http/public.go
+++ b/http/public.go
@ -3,6 +3,7 @@ package http
 import (
 	"errors"
 	"net/http"
+	"net/url"
 	"path"
 	"path/filepath"
 	"strings"
@ -124,6 +125,10 @@ func authenticateShareRequest(r *http.Request, l *share.Link) (int, error) {
 	}

 	password := r.Header.Get("X-SHARE-PASSWORD")
+	password, err := url.QueryUnescape(password)
+	if err != nil {
+		return 0, err
+	}
 	if password == "" {
 		return http.StatusUnauthorized, nil
 	}