search

meganz / MEGAcmd

Command Line Interactive and Scriptable Application to access MEGA
Other
1.94k stars 407 forks source link

Violation of RFC 2518 - URI Encode href-Elements #183

Open AliveDevil opened 5 years ago

AliveDevil commented 5 years ago

The DAV implementation violates URI escaping for the DAV:href-element on propfind requests if an element contains space (" ") characters. RFC 2518 describes in 12.3[^1] the href-element. This should have a value of type URI which is described in RFC 2068 in section 3.2.1[^2]. URIs must not contain space characters thus all responses of propfind requests are invalid.

This is reported by your server software:

<d:response>
    <d:href>http://diskstation.speedport.ip:4443/dgA1zDxJ/Cloud Drive/</d:href>
    <d:propstat>
        <d:status>HTTP/1.1 200 OK</d:status>
        <d:prop>
            <d:displayname>Cloud Drive</d:displayname>
            <d:creationdate>Sat, 19 Jan 2013 18:17:30 GMT</d:creationdate>
            <d:getlastmodified>Thu, 01 Jan 1970 00:00:00 GMT</d:getlastmodified>
            <d:resourcetype>
                <d:collection />
            </d:resourcetype>
        </d:prop>
    </d:propstat>
</d:response>

This is expected output:

<d:href>http://diskstation.speedport.ip:4443/dgA1zDxJ/Cloud%20Drive/</d:href>

Used implementation: Synology MEGAcmd

1: https://tools.ietf.org/html/rfc2518#section-12.3 2: https://tools.ietf.org/html/rfc2068#section-3.2.1

knackrack615 commented 5 years ago

Hello, same issue here with MegaCMD on Windows, URLs are not properly encoded and thus i'm having issues while trying to access folders that contain Spaces or Special Characters.

polmr commented 5 years ago

Ey there, this commit (although might not be 100% compliant with RFC2068 S3.2.1) in the SDK submodule should fix that: https://github.com/meganz/sdk/commit/0b9efe18f000246ddc2ac690e5075cde9ffe8f83#diff-c3de3d92d9d9472cc3d715cb978d2940R24125 . MEGAcmd release 1.1.0 has it included (@knackrack615 please, have the latest version downloaded from https://mega.nz/cmd). For Synology we haven't release 1.1.0 yet I'm afraid. @AliveDevil if you can't wait, you might want to try and build: https://github.com/meganz/MEGAcmd/tree/master/build/SynologyNAS. Btw, thanks for the detailed and well documented report.

AliveDevil commented 5 years ago

I can confirm with 1.1.0 this particular issue (Whitespace in HREF) is resolved.

Next issue: If there is a "+" sign inside a file/folder name this is the result:


<d:response>
    <d:href>http://alive-mega/dgA1zDxJ/Cloud%20Drive/Test%2BTest</d:href>
    <d:propstat>
        <d:status>HTTP/1.1 200 OK</d:status>
        <d:prop>
            <d:displayname>Test&add;Test</d:displayname>
            <d:creationdate>Mon, 01 Apr 2019 09:48:09 GMT</d:creationdate>
            <d:getlastmodified>Thu, 01 Jan 1970 00:00:00 GMT</d:getlastmodified>
            <d:resourcetype>
                <d:collection />
            </d:resourcetype>
        </d:prop>
    </d:propstat>
</d:response>
```xml
Issue: `<d:displayname>Test&add;Test</d:displayname>` is not valid. https://tools.ietf.org/html/rfc2518#section-13.2

Postman complains about "&add; entity not found."
![image](https://user-images.githubusercontent.com/734738/55624296-c8b47200-57a5-11e9-8446-601b36fa7fcf.png)

Eventually just `<![CDATA[]]!>` the displayname?
knackrack615 commented 5 years ago

@polmr Just downloaded the latest version of MegaCMD and are no longer experiencing any issues with spaces (My bad, i thought i was using the latest version).

The issue @AliveDevil mentioned is my main issue right now, as i use MegaCMD for reading my projects remotely and many of them have "+" in the folder names causing my drive mount utility to crash/not display any files.