Given a file on disk with a percent sign in its name, it is not possible to download it using echo's static middleware.
Given some file names:
100%.txt
foo%20bar.txt (this is really the name on disk)
It is not possible to download these files using the static middleware.
Checklist
[X] Dependencies installed
[X] No typos
[X] Searched existing issues and docs
Expected behaviour
The standard way to download them would be using the folowing paths:
100%.txt -> GET /100%25.txt
foo%20bar.txt -> GET /foo%2520bar.txt
Actual behaviour
100%.txt -> GET /100%25.txt
echo error message: invalid URL escape "%.p (because of the double unescape and .p is no valid hex)
foo%20bar.txt -> GET /foo%2520bar.txt
echo error message: path does not exist (because file foo bar.txt does not exist, only foo%20bar.txt)
Background is that url.Path in http.Request is already escaped (as the documentation for url.Path suggests), but echo is unescaping it again.
I tried to generate a fix. For the non-embedded case this is solved by simply removing the explicit url.PathUnescape call in static.go (see https://github.com/georgmu/echo/commit/852dedeca2a22a0b6967e71f69cbb0823959a198 which also contains some test cases). I haven't created a merge request yet, as the embedding using groups or path patterns is a bit more complicated (I haven't fully understand the case for the disablePathUnescaping toggle).
Issue Description
Given a file on disk with a percent sign in its name, it is not possible to download it using echo's static middleware.
Given some file names:
100%.txt
foo%20bar.txt
(this is really the name on disk)It is not possible to download these files using the static middleware.
Checklist
Expected behaviour
The standard way to download them would be using the folowing paths:
100%.txt
->GET /100%25.txt
foo%20bar.txt
->GET /foo%2520bar.txt
Actual behaviour
100%.txt
->GET /100%25.txt
invalid URL escape "%.p
(because of the double unescape and.p
is no valid hex)foo%20bar.txt
->GET /foo%2520bar.txt
path does not exist
(because filefoo bar.txt
does not exist, onlyfoo%20bar.txt
)Background is that url.Path in http.Request is already escaped (as the documentation for url.Path suggests), but echo is unescaping it again.
I tried to generate a fix. For the non-embedded case this is solved by simply removing the explicit url.PathUnescape call in static.go (see https://github.com/georgmu/echo/commit/852dedeca2a22a0b6967e71f69cbb0823959a198 which also contains some test cases). I haven't created a merge request yet, as the embedding using groups or path patterns is a bit more complicated (I haven't fully understand the case for the disablePathUnescaping toggle).
Steps to reproduce / Working code to debug
See test cases in https://github.com/georgmu/echo/commit/852dedeca2a22a0b6967e71f69cbb0823959a198
Version/commit
master ( commit fa70db8 )