WebGUI: Escape character in folder or file name prevents access

[sebveit]

• Gitea version (or commit ref): 1.15.7 built with GNU Make 4.1, go1.16.10 : bindata, sqlite, sqlite_unlock_notify
• Git version: 2.30.2
• Operating system: Debian GNU/Linux 11 (bullseye)
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL): https://try.gitea.io/sebveit/meta-openwrt
  • No

Description

I've cloned a repository from GitHub that uses the percentage character (%) in file and folder names a lot. This %-char prevents the access, via the web GUI of Gitea, to the file or folder containing this char in its name.
It looks like Gitea is displaying the %-char correctly but fails to provide the correct URL when clicking on it.
When I modify the URL and try to access it, nginx answers with 400 Bad Request.

Example

Expected URL: https://try.gitea.io/sebveit/meta-openwrt/src/branch/master/recipes-tweaks/busybox/busybox_%.bbappend
Actual URL: https://try.gitea.io/sebveit/meta-openwrt/src/branch/master/recipes-tweaks/busybox/busybox_%25.bbappend

Reverse Proxy

I'm using nginx (1.18) as a reverse proxy for Gitea. My config for nginx is the following:

server {
    listen 443 ssl;
    server_name gitea.somedomain.tld;
    ssl_certificate     /etc/nginx/ssl/gitea.somedomain.tld.crt;
    ssl_certificate_key /etc/nginx/ssl/gitea.somedomain.tld.key;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 50M;
    }
}

I hope that helps pinpointing the bug. Let me know if you need additional information.
BTW, Gitea is really nice and slim compared to the bloated GitLab.

[wxiaoguang]

Maybe this is a bug for path processing. However Expected URL busybox_%.bbappend is not correct, either. Non-standard characters should be encoded due to RFC.

Unfortunately, at this moment, the URL can open the target is:

https://try.gitea.io/sebveit/meta-openwrt/src/branch/master/recipes-tweaks/busybox/busybox_%2525.bbappend

I am not sure it is correct or not. @zeripath can you help to take a look for this?

[zeripath]

OK so this used to work in 1.14.7 but is broken from 1.15.0

This is going to be related to the chi migration.

[zeripath]

This is interesting the ctx.Params("*") appears to be "" even though the requestURI is correct...

[zeripath]

Right the problem is:

gitea/modules/context/context.go

Line 484 in f58e687

s, _ := url.PathUnescape(chi.URLParam(ctx.Req, strings.TrimPrefix(p, ":")))

This is double unescaping the Params("*") value.

Now I need to double check that this is always the case.

---

Yup it is.

Therefore we should just drop this.

---

Nope that's not the solution.

The problem is with the routeParams.

I think I've solved this now.