Cannot stream upload containing '%` in its filename (#924) · Issues · funkwhale / funkwhale

Cannot stream upload containing '%` in its filename

Steps to reproduce

What happens / What is expected ?

The file fails to play because the API answers 404. NginX logs typically report:

2019/09/23 19:20:52 [error] 362#362: *28968 open() "/music/Kaytranada/99.9/05 Drive Me Crazy.flac" failed (2: No such file or directory), client: 172.17.0.1, server: _, request: "GET /api/v1/listen/7d0deaf2-819b-4fa7-ba04-f918ab80ddb3/?upl
oad=a9dda866-d219-4bda-9ac7-38b76b51ecc9&jwt=XD HTTP/1.1", upstream: "http://127.0.0.1:8000/api/v1/listen/7d0deaf2-819b-4fa7-ba04-f918ab80ddb3/?upload=a9dda866-d219-4bda-9ac7-38b76b51ecc9&jwt=XD", host: "funkwhale.theof.fr", referrer: "https://funkwhale.theof.fr/library/artists/29/"

I checked in Django admin the path for that upload, and it seems correct (/music/Kaytranada/99.9%/05 Drive Me Crazy.flac) which makes me believe some sort of escaping for the `%' character is not done properly before passing that path to NginX. Hence I'm marking this as confidential as I guess it might be a security issue ? but have'nt done further research.

By the way I would love to hear how you tell NginX to send a file from the API :)

Context

Funkwhale version(s) affected: 0.19.0

love your work, you're awesome ! :)

<!--
Hi there! You are reporting a bug on this project, and we want to thank you!

If it's the first time you post here, please take a moment to read our Code of Conduct
(https://funkwhale.audio/code-of-conduct/) and ensure your issue respect our guidelines.

To ensure your bug report is as useful as possible, please try to stick
to the following structure. You can leave the parts text between `<!- ->`
markers untouched, they won't be displayed in your final message.

Please do not edit the following line, it's used for automatic classification
-->

## Steps to reproduce

<!--
Describe the steps to reproduce the issue, like:

1. Do an in place import of a file that contains the character '%` in its path.
2. Attempt to play that file in either Funkwhale's frontend or DSub clients.
-->

## What happens / What is expected ?

The file fails to play because the API answers 404. NginX logs typically report:
```
2019/09/23 19:20:52 [error] 362#362: *28968 open() "/music/Kaytranada/99.9/05 Drive Me Crazy.flac" failed (2: No such file or directory), client: 172.17.0.1, server: _, request: "GET /api/v1/listen/7d0deaf2-819b-4fa7-ba04-f918ab80ddb3/?upl
oad=a9dda866-d219-4bda-9ac7-38b76b51ecc9&jwt=XD HTTP/1.1", upstream: "http://127.0.0.1:8000/api/v1/listen/7d0deaf2-819b-4fa7-ba04-f918ab80ddb3/?upload=a9dda866-d219-4bda-9ac7-38b76b51ecc9&jwt=XD", host: "funkwhale.theof.fr", referrer: "https://funkwhale.theof.fr/library/artists/29/"
```
I checked in Django admin the path for that upload, and it seems correct (`/music/Kaytranada/99.9%/05 Drive Me Crazy.flac`) which makes me believe some sort of escaping for the `%' character is not done properly before passing that path to NginX.
Hence I'm marking this as confidential as I guess it might be a security issue ? but have'nt done further research.

*By the way I would love to hear how you tell NginX to send a file from the API :)*

## Context

**Funkwhale version(s) affected**: 0.19.0
<!--
If relevant, share additional context here like:

- Browser type and version (for front-end bugs)
- Instance configuration (Docker/non-docker, nginx/apache as proxy, etc.)
- Error messages, screenshots and logs
-->

-----
love your work, you're awesome ! :)

Edited Sep 30, 2019 by Theophile Vallee