New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for files and directories with + as a character in the file name b0rking Rack::Directory #265
Conversation
…/file name.file from the POV of the web server, which is a Bad Thing.
…/file name.file from the POV of the web server, which is a Bad Thing.
|
On Tue, Nov 15, 2011 at 11:38 PM, Joshua Peek
I am aware of that. '+' in a filename does not mean a space, however,
|
|
On Nov 16, 2011 8:53 AM, "Rich Meyers" <
Then that whoever is Rack::Directory. If you want a demo, configure a racked webserver to serve an Ubuntu install
|
Maybe that's your HTTP client not escaping + as it thinks it's a space-plus? Rack should definitely stick to the URI spec. |
@VictorLowther it does look like Rack::Directory is not encoding file names, and that would be the bug. The correct fix would be to have Rack::Directory encode file names in directory listings. |
A but more background: I encountered this bug when trying to use Rainbows to serve up an Ubuntu install tree for net installs. Out of all the web servers I tried, only Rainbows failed to act as a backing webserver when using Rack::Directory to serve up the directory tree -- the install failed the first time it tried to serve a filename with a + in the name. To replicate: Then, in a different terminal: wget will print a directory index for the first pull, and get 404 errors for the second and third. The Rainbows output will show: 127.0.0.1 - - [19/Nov/2011 09:27:45] "GET / HTTP/1.0" 200 - 0.0153 With the changes in this patch, I get: 127.0.0.1 - - [19/Nov/2011 09:39:55] "GET / HTTP/1.0" 200 - 0.0046 Webrick, nginx, thttpd, and apache all do the expected thing. The issue is not whether the client is failing to properly encode requests to the server (unless wget has managed to get it wrong for all these years). The issue is that Rack appears to be doing the Wrong Thing when decoding the requests and matching them against the files I am asking it to serve. |
What happens when you have Also, what is in the directory listings for |
On Nov 19, 2011 10:59 AM, "Rich Meyers" <
|
I am patching rack to correct the output of the Directory Index from Rack::Directory. I will not support not escaping file names at this time. Escaping is expected and required by rack in order to conform to RFC. If you believe this is in error, feel free to continue the discussion. At this time, supporting reading files from uris that are not correctly escaped will not be supported. Thank you for your bug report, even though we may not agree on the solution, I have fixed the bug that is apparent in Rack::Directory. |
Of course file names should be escaped. The bug is that valid URI paths are incorrectly unescaped. For example, From RFC 3986:
Where |
This is still a bug. Worse, it's been worked around in Rails in an additionally buggy way, to great confusion and gnashing of teeth: rails/rails#11816 (comment) The proposed fix here (removing unescaping) is wrong. The right fix is to unescape as pchar instead of the blanket |
This is fundamentally the CGI heritage, which we should drop, but if we drop it, we have to do that as a major change, as we should drop it across the board, both in escape and unescape. |
directories that have + in the name should be served up if the browser puts a + in the path. + is a valid path character, so it should not be translated to a space (like you do in query parameters). references #265 rails/rails#11816
Having a + in file and path names is a perfectly cromulent thing, and unescaping the name magically turns those + es into es