Browsers compatibility issues: Files with [ ] or ( ) in the name do have incorrectly encoded hyperlink in "raw" link.

[TomaszSzt]

Steps to reproduce 1.Create a repository 2.Push a file named like, for an example "Px-[My file title].txt" 3.Enter the GITBlit page with this file, regardless if through commit or through the tree. 4.Find a "Raw" link to that file. Observe it will be looking like: ../../raw/somethi.git/9533e7971509d8476a9845d8fc31707abee9248c/Px-[My file title].tx

Notice that all un-allowed URL characters are NOT escaped. This includes spaces and [ ] brackets. Click it in Firefox or Edge. Observe Server Error. Notice that browsers DID escape correctly spaces but DID NOT escape brackets. I think they should, but they did not.

5.Manually escape all characters using %20 for space %5A for [ and %5D for ] in browser address bar and tap enter. 6.Observe that server correctly responds to that link.

Wokaround

The only workaround to get raw file with such content through web interface is to download zipped repository.

Recomendation

All hyperlinks generated by GITBLIT should be valid, correctly escaped URLs.

Best regards, Tomasz Sztejka

[flaix]

While I agree that the brackets could be escaped, I cannot reproduce an error. Which exact environment (OS/Browser) did you use?

I tested this under macOS with Firefox 92.0.1, Chrome 94.0.4606.81 and Safari 14 as well as under Linux with Firefox 93.0 and Chrome 94.0.4606.71. I never got en error but was always able to see the raw file.

[TomaszSzt]

Sorry for a delay, I was not monitoring this issue for a while.

I can still reproduce it every time and on every machine I checked at my work-place. It doesn't mean much because we were running a mass upgrade recently and all machines are fairly identical, but it shows that it is not a single seat configuration problem.

Windows 10, Firefox 93.0, GitBlit 1.8.0. No Firefox extensions were installed at the moment when the bug was encountered for a first time.

Sever page scree-shot:

The html snippet for this link:

blame | history | raw

You will notice, that the raw link is NOT escaped at all, while blame and history links ARE escaped. Server response: Error Sorry, the requested resource /myfile%20[%20my%20wife%20].txt was not found in ticket/1. The same problem can be reproduced in Edge 94.0.992.50 I did NOT test it with Gitblit 1.9.0 because I could not find any mention about this kind of a problem in a change log and updating a server is a risk I would like to avoid.

[flaix]

Yes, the raw link is not escaped, I just could not reproduce this problem, as the browsers do not mind. I will try this under Windows 10.

[flaix]

Interestingly, this seems to only occur with files that have a combination of spaces and brackets in the name. I was able to reproduce it with the exact filename of yours. A file with just brackets or just spaces does not pose a problem.

[TomaszSzt]

Interestingly, this seems to only occur with files that have a combination of spaces and brackets (...)

Ha! I never tested another combination. Good to know that.

[flaix]

This seems to happen when both spaces and brackets are in a file name. I could not find a specific pattern or combination. The browser escapes spaces everywhere. While file names with spaces without brackets reach the servlet unescaped, this is not true when there are also brackets in the path. I guess that Jetty has some weird rule about when to treat spaces how. Might be interesting to try this with Gitblit in a Tomcat.

[flaix]

I take it you use Gitblit GO? I have fixed this in PR #1383 but would still have to check how this behaves in an application server and if anything breaks.

[TomaszSzt]

I take it you use Gitblit GO? (...) Possibly yes. That think where the GitBlit runs just stand-alone without any other server software needed. Just get Java, unzip and start.

Thanks for fix, now I will have a good reason to update when the next release will be officially ready, tested and stable.

[flaix]

Ya, well, I can give you officially ready, I don't know about tested and stable. I wish I had a way to release thoroughly tested builds, but as things are right now, I don't have the resources for that. And I have no idea how many people still use Gitblit, so how much testing it gets in the field. I do try to keep it as stable as possible.