modrinth / code

The Modrinth monorepo containing all code which powers Modrinth!
https://modrinth.com
Other
975 stars 181 forks source link

$ and : should be illegal in uploaded filenames #2569

Open kb-1000 opened 6 months ago

kb-1000 commented 6 months ago

Describe the bug

Especially on Windows, those characters are illegal in filenames and will break anything that just uses the filename provided by modrinth in the API or URL. On some platforms, filenames containing .. (two dots) may have special meaning as well.

Steps to reproduce

  1. Upload a file containing : in its name
  2. It uploads successfully without escaping.

Expected behavior

It should fail.

Additional context

This has been found thanks to https://cdn.modrinth.com/data/PmwWNPV6/versions/5v69ptOa/Technical%20Electrical%3A%20Whimsical%20Wonders-4.1.3.mrpack

brawaru commented 6 months ago

The sanitisation of the paths is the responsibility of the program. Some elements illegal in Windows paths aren't illegal in Unix paths, and vice versa. Modrinth modpacks are distributed outside of Modrinth as well, so if you trust on Modrinth to do the basic security stuff for you, you set yourself for failure.

Cheesy-Brik commented 6 months ago

Dropping these here https://www.mtu.edu/umc/services/websites/writing/characters-avoid/ https://help.interfaceware.com/v6/windows-reserved-file-names

TacoGS commented 6 months ago

That is an interesting mentality for an API to take. Instead of resolving illegal characters issue as a single upstream source they kick it down to the downstream app developers to do it X number of times.

kb-1000 commented 6 months ago

Note that I'm not referring to the files mentioned by the modpack index, I'm referring to the filename of the modpack file, or other uploaded files.

Prospector commented 6 months ago

We could probably fix this going forward but anything that downloads files should do the job of sanitizing the file name for the operating system. For example, this is what browsers do if you try to download that file in a browser.