Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • funkwhale funkwhale
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 384
    • Issues 384
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 16
    • Merge requests 16
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • funkwhale
  • funkwhalefunkwhale
  • Issues
  • #924

Closed
Open
Created Sep 23, 2019 by Theophile Vallee@itheof

Cannot stream upload containing '%` in its filename

Steps to reproduce

What happens / What is expected ?

The file fails to play because the API answers 404. NginX logs typically report:

2019/09/23 19:20:52 [error] 362#362: *28968 open() "/music/Kaytranada/99.9/05 Drive Me Crazy.flac" failed (2: No such file or directory), client: 172.17.0.1, server: _, request: "GET /api/v1/listen/7d0deaf2-819b-4fa7-ba04-f918ab80ddb3/?upl
oad=a9dda866-d219-4bda-9ac7-38b76b51ecc9&jwt=XD HTTP/1.1", upstream: "http://127.0.0.1:8000/api/v1/listen/7d0deaf2-819b-4fa7-ba04-f918ab80ddb3/?upload=a9dda866-d219-4bda-9ac7-38b76b51ecc9&jwt=XD", host: "funkwhale.theof.fr", referrer: "https://funkwhale.theof.fr/library/artists/29/"

I checked in Django admin the path for that upload, and it seems correct (/music/Kaytranada/99.9%/05 Drive Me Crazy.flac) which makes me believe some sort of escaping for the `%' character is not done properly before passing that path to NginX. Hence I'm marking this as confidential as I guess it might be a security issue ? but have'nt done further research.

By the way I would love to hear how you tell NginX to send a file from the API :)

Context

Funkwhale version(s) affected: 0.19.0


love your work, you're awesome ! :)

Edited Sep 30, 2019 by Theophile Vallee
Assignee
Assign to
Time tracking